Products | Versions |
---|---|
Spotfire Analyst | 14.0.5 and earlier, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1 |
Spotfire Statistics Services | 14.0.6 and earlier, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1 |
Spotfire Enterprise Runtime for R - Server Edition | 1.17.6 and earlier, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1 |
Spotfire Service for Python | 1.17.6 and earlier, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1 |
Spotfire Service for R | 1.17.6 and earlier, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1 |
Spotfire Desktop | 14.4.1 and earlier |
Original release date: April 08, 2025
Last revised: —
CVE-2025-3115
Source: Cloud Software Group Inc.
Vulnerabilities have been identified in Spotfire's Data Functions, which could allow attackers to exploit the system in various ways.
Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions.
Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution.
Successful exploitation of these vulnerabilities within Data Functions could allow an attacker to inject malicious code, gain control over the execution environment, and execute arbitrary files through improperly validated file uploads.
CVSS v4.0 Base Score: 9.4 (Critical)
(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Cloud Software Group has released updated versions of the affected systems which address this issue:
Spotfire Data Function Vulnerability