Description
Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.
Published: 2026-03-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote access to arbitrary files via API
Action: Patch
AI Analysis

Impact

A flaw in the Contact Plan, E‑Mail, SMS and Fax modules of Asseco SEE Live 2.0 permits authenticated users to retrieve arbitrary files from the host system. By manipulating the "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls, an attacker can read files that should not be exposed, potentially leaking sensitive data or application credentials. The underlying weakness involves improper input validation that allows a Local File Inclusion error and results in information disclosure.

Affected Systems

The vulnerability affects the Asseco SEE Live 2.0 application, specifically its Contact Plan, E‑Mail, SMS and Fax components. Users running this product with the listed modules enabled are at risk. No additional version granularity is provided beyond the 2.0 release.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. The EPSS score of less than 1 % suggests that widespread exploitation is unlikely at present, and the vulnerability is not currently listed in CISA’s KEV catalog. Nonetheless, the flaw requires only an authenticated session to the API, making it potentially exploitable by legitimate users who gain access to the system. Attackers would exploit the API’s lack of strict path validation to read arbitrary files, thereby compromising confidentiality.

Generated by OpenCVE AI on March 27, 2026 at 11:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update to a version that addresses the downloadAttachment path validation issue. If no patch is available, restrict access to the problematic API endpoints by implementing firewall or proxy rules to filter out unauthenticated or suspicious requests. Conduct an audit of user permissions to ensure that only trusted accounts can invoke file download operations. Consider disabling or removing the downloadAttachment and downloadAttachmentFromPath API calls if they are not needed. Monitor logs for unusual path traversal attempts and investigate any anomalies promptly.

Generated by OpenCVE AI on March 27, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Local File Inclusion in API Download Endpoints Allows Remote Authenticated Users to Read Host Files
Weaknesses CWE-200
CWE-22

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title LFI in Asseco SEE Live 2.0 Exposes Arbitrary Files to Authenticated Users
Weaknesses CWE-20
CWE-22

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title LFI in Asseco SEE Live 2.0 Exposes Arbitrary Files to Authenticated Users
Weaknesses CWE-20
CWE-22

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Authenticated File Disclosure via API Path Parameter
Weaknesses CWE-22

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Authenticated File Disclosure via API Path Parameter
Weaknesses CWE-22

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Local File Inclusion in Asseco SEE Live 2.0 Allows Remote Authenticated Users to Read Arbitrary Files
Weaknesses CWE-200
CWE-22

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Local File Inclusion in Asseco SEE Live 2.0 Allows Remote Authenticated Users to Read Arbitrary Files
Weaknesses CWE-200
CWE-22

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Remote Authenticated File Disclosure via Path Parameter in Asseco SEE Live 2.0
Weaknesses CWE-22

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Authenticated File Disclosure via Path Parameter in Asseco SEE Live 2.0
Weaknesses CWE-22

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Local File Inclusion in Asseco SEE Live 2.0 Allows Authenticated Users to Read Arbitrary Host Files
Weaknesses CWE-200
CWE-22

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Local File Inclusion in Asseco SEE Live 2.0 Allows Authenticated Users to Read Arbitrary Host Files
Weaknesses CWE-200
CWE-22

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
References

Fri, 13 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
References

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Asseco
Asseco see Live
Vendors & Products Asseco
Asseco see Live

Thu, 12 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.
References

Subscriptions

Asseco See Live
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-14T03:32:45.511Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-66955

cve-icon Vulnrichment

Updated: 2026-03-14T03:32:28.009Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T19:16:15.077

Modified: 2026-03-16T14:18:00.287

Link: CVE-2025-66955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:21Z

Weaknesses