{"uuid": "d5fad61b-acf9-457f-aa82-e57a34b54457", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-65478", "type": "seen", "source": "https://gist.github.com/0xSY-SEC/4b5b3cd646104a79f1ed926bb6345b2c", "content": "# Security Advisory: CVE-2025-65478\n\n## Summary\n\nA path traversal vulnerability (CWE-22) exists in the webui module of Mirth Connect Administrator 3.5.x. Remote attackers can read arbitrary files on the server by injecting `../` sequences into the `file_name` parameter.\n\n## Details\n\n- **CVE ID:** CVE-2025-65478\n- **CWE:** CWE-22 (Path Traversal)\n- **Vendor:** Mirth Corporation\n- **Affected Product:** Mirth Connect Administrator 3.5.x\n- **Attack Type:** Remote\n- **Impact:** Information Disclosure (arbitrary file read)\n- **Discoverer:** EMonkey\n\n## Vulnerability Description\n\nThe file download function for the `sys_dia_data_down` interface in the webui module fails to properly sanitize the `file_name` parameter. An attacker can inject path traversal sequences (`../`) to read arbitrary files outside the intended directory, without authentication.\n\n## Proof of Concept\n\n```\nGET /webui/?g=sys_dia_data_down&file_name=../../../../../etc/passwd HTTP/1.1\nHost: \nConnection: keep-alive\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/141.0.0.0 Safari/537.36\n```\n\n## Impact\n\nRemote attackers can read sensitive server files (e.g., `/etc/passwd`) without authentication, leading to sensitive information disclosure.\n\n## Timeline\n\n- Reported to MITRE CVE Assignment Team\n- CVE ID Assigned: CVE-2025-65478 (RESERVED)", "creation_timestamp": "2026-05-31T08:13:27.000000Z"}