Description

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 1.1.1. A workaround is provided on the Jmix documentation website.

INFO

Published Date :

2025-04-22T17:46:00.961Z

Last Modified :

2025-04-23T15:59:02.433Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-32961 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-32961.

URL Resource
https://docs.jmix.io/jmix/files-vulnerabilities.html cve-icon cve-icon
https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-cuba-application cve-icon cve-icon
https://github.com/cuba-platform/jpawebapi/commit/78b837d7e2b12d0df69cef1bc6042ebf3bdaf22c cve-icon cve-icon
https://github.com/cuba-platform/jpawebapi/security/advisories/GHSA-hg25-w3vg-7279 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact