CVE-2025-65963 - Vulnerability Details - OpenCVE

ReportizFlow

Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Humhub	Files

No data.

No data.

References

Link	Providers
https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09
https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4

History

Fri, 28 Nov 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Humhub Humhub files
Vendors & Products		Humhub Humhub files

Wed, 26 Nov 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 25 Nov 2025 23:45:00 +0000

Type	Values Removed	Values Added
Description		Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2.
Title		CFiles Unauthorized Folder/ZIP Access in Public Spaces
Weaknesses		CWE-284 CWE-285
References		https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09 https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-11-25T23:38:49.198Z

Updated: 2025-11-26T16:13:16.288Z

Reserved: 2025-11-18T16:14:56.694Z

Link: CVE-2025-65963

Vulnrichment

Updated: 2025-11-26T16:13:13.399Z

NVD

Status : Received

Published: 2025-11-26T00:15:51.100

Modified: 2025-11-26T00:15:51.100

Link: CVE-2025-65963

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-65963", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-18T16:14:56.694Z", "datePublished": "2025-11-25T23:38:49.198Z", "dateUpdated": "2025-11-26T16:13:16.288Z"}, "containers": {"cna": {"title": "CFiles Unauthorized Folder/ZIP Access in Public Spaces", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4"}, {"name": "https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09", "tags": ["x_refsource_MISC"], "url": "https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09"}], "affected": [{"vendor": "humhub", "product": "cfiles", "versions": [{"version": "< 0.16.11", "status": "affected"}, {"version": ">= 0.17.0, < 0.17.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-25T23:38:49.198Z"}, "descriptions": [{"lang": "en", "value": "Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2."}], "source": {"advisory": "GHSA-rv2x-7qwp-2hf4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-26T16:13:10.280528Z", "id": "CVE-2025-65963", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-26T16:13:16.288Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65963", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-26T16:13:10.280528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-26T16:13:13.399Z"}}], "cna": {"title": "CFiles Unauthorized Folder/ZIP Access in Public Spaces", "source": {"advisory": "GHSA-rv2x-7qwp-2hf4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "humhub", "product": "cfiles", "versions": [{"status": "affected", "version": "< 0.16.11"}, {"status": "affected", "version": ">= 0.17.0, < 0.17.2"}]}], "references": [{"url": "https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4", "name": "https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09", "name": "https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-25T23:38:49.198Z"}}}, "cveMetadata": {"cveId": "CVE-2025-65963", "state": "PUBLISHED", "dateUpdated": "2025-11-26T16:13:16.288Z", "dateReserved": "2025-11-18T16:14:56.694Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-25T23:38:49.198Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}