Description
The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.
Published: 2026-04-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Aranda File Server component writes daily activity logs to a publicly accessible directory with predictable file names. This design flaw allows unauthenticated remote attackers to discover virtual paths of uploaded documents and bypass user‑level access controls to download files containing personal data. The weakness aligns with CWE‑532, as log files are exposed to unauthorized users, and CWE‑377, due to the insecure, deterministic generation of critical information like log paths.

Affected Systems

Aranda Software Aranda Service Desk installations using the File Server component prior to version 8.3.12 are affected. The vulnerability exists in the component that stores logs with predictable names in a directory available to anyone with network access.

Risk and Exploitability

The CVSS score is 7.5, indicating a moderate to high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the attacker does not need authentication, and the file names are foreseeable, the exploit is straightforward once the target is identified. The ability to retrieve protected documents that contain personally identifiable information elevates the risk level for exposed systems.

Generated by OpenCVE AI on April 28, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest update, version 8.3.12 or newer, which removes the publicly accessible log directory and randomizes file names.
  • If an upgrade cannot be performed immediately, restrict the log directory’s permissions so that it is accessible only to authenticated users and/or silence the logging of file names from the web‑accessible area.
  • Audit and delete any existing logs or files in the directory that contain sensitive documents to eliminate the risk of accidental exposure.

Generated by OpenCVE AI on April 28, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Arandasoft
Arandasoft aranda File Server
Vendors & Products Arandasoft
Arandasoft aranda File Server

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Unrestricted Access to Sensitive Files via Predictable Log Names in Aranda File Server

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-377
CWE-532
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII.
References

Subscriptions

Arandasoft Aranda File Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-28T15:56:56.925Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67223

cve-icon Vulnrichment

Updated: 2026-04-28T15:54:28.704Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T15:16:06.033

Modified: 2026-04-28T20:18:13.020

Link: CVE-2025-67223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:11:09Z

Weaknesses