CVE-2025-3518

Published: Apr 22, 2025

Modified: Apr 24, 2025

PUBLISHED

Description

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly. If file sharing is generally enabled, this issue is not of concern.

Vendor	Product	Versions
Unblu inc.	Unblu Spark	unaffected `7.54.1` unaffected `8.13.1` affected `7.0.0 - <= 7.53.4` affected `8.0.0 - <= 8.12.1`

References

https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-002

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-3518

Description

Affected Products

References