CVSS · MEDIUM · 5.3⁄10 · CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/RE:L/U:Green
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: LOW
attackRequirements: NONE
privilegesRequired: LOW
userInteraction: NONE
vulnConfidentialityImpact: LOW
subConfidentialityImpact: LOW
vulnIntegrityImpact: LOW
subIntegrityImpact: LOW
vulnAvailabilityImpact: LOW
subAvailabilityImpact: LOW
exploitMaturity: NOT_DEFINED
Safety: NOT_DEFINED
Automatable: YES
Recovery: AUTOMATIC
valueDensity: NOT_DEFINED
vulnerabilityResponseEffort: LOW
providerUrgency: GREEN
CVE-2025-10461 Global file reads caused by improper URL checks in webserver
Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.
This issue affects
smartLink SW-HT: through 1.42
smartLink SW-PN: through 1.03.
Problem: CWE-20 Improper Input Validation CWE-20
Impact: CAPEC-497 File Discovery CAPEC-497
| Product | Affected | Unaffected |
|---|---|---|
| Softing smartLink SW-HT » filesystem Default status is unaffected | through 1.42 | |
| 1.43 | ||
| Softing smartLink SW-PN » filesystem Default status is unaffected | through 1.03 | |
| 1.04 |
CPE Applicability:
CPE Applicability (based on the Affected products section)
-
- cpe:2.3:a:softing:smartlink_sw-ht:*:*:*:*:*:*:*:* is vulnerable from (including) 0 and up to (including) 1.42
- OR cpe:2.3:a:softing:smartlink_sw-ht:1.43:*:*:*:*:*:*:* is not vulnerable
- or
- cpe:2.3:a:softing:smartlink_sw-pn:*:*:*:*:*:*:*:* is vulnerable from (including) 0 and up to (including) 1.03
- OR cpe:2.3:a:softing:smartlink_sw-pn:1.04:*:*:*:*:*:*:* is not vulnerable
Solution
This issue is fixed in
smartLink SW-HT: 1.43
smartLink SW-PN: 1.04Credits
OpenVAS