Primary

Context

Asseco SEE Live Local File Inclusion Vulnerability in Contact and Communication Components

Vulnerability

A local file inclusion vulnerability has been identified in Asseco SEE Live version 2.0, specifically within the Contact Plan, E-Mail, SMS, and Fax components. This vulnerability allows remote authenticated users to access files on the host system by exploiting the 'path' parameter in the 'downloadAttachment' and 'downloadAttachmentFromPath' API calls.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the host system.

Reproduction

To reproduce this vulnerability, send a POST request to '/live20/index.php' with the 'requestType' and 'method' parameters set to 'HTTP' and 'Email.downloadAttachment' or 'Email.downloadAttachmentFromPath', respectively. Include the 'path' parameter with the desired file path, such as '/etc/passwd', and the 'downloadToken' parameter with a valid token. The 'model' parameter can also be included when using the 'downloadAttachmentFromPath' method.

Added: Mar 12, 2026, 7:30 PM

Updated: Mar 12, 2026, 7:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

6.6

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

6.6

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Asseco SEE Live Local File Inclusion Vulnerability in Contact and Communication Components

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating