Primary

Context

Abacus ERP Authenticated Arbitrary File Read Vulnerability

Vulnerability

Patched

A vulnerability allowing authenticated users to read arbitrary files exists in Abacus ERP versions prior to 2024.210.16036, 2023.205.15833, and 2022.105.15542. This vulnerability arises from a flawed API route that allows user-controlled absolute paths, enabling the extraction of sensitive information such as the JWT signing key. With this key, an attacker could forge tokens to impersonate other users in API authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the API by forging authentication tokens, allowing an attacker to act as another user.

Remediation

Users can upgrade to Abacus ERP versions 2024.210.16036 or later, 2023.205.15833 or later, or 2022.205.15542 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Abacus ERP Authenticated Arbitrary File Read Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Abacus ERP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating