Ddos 
A recent security advisory from iFAX Solutions has revealed a critical vulnerability affecting the HylaFAX Enterprise Web Interface and AvantFAX. The vulnerability, identified as CVE-2025-1782, stems from the improper sanitization of a language form element.
According to the advisory, this flaw can be exploited by an attacker to include an arbitrary file in the PHP code, ultimately granting the attacker the ability to execute commands as the web server user. The advisory emphasizes the severity of this issue, stating that “all installs are vulnerable to attackers with a valid user account.”
To address this critical security flaw, the recommended resolution is to “only accept user provided language value from a list of available languages.”
The vulnerability impacts a range of versions across both HylaFAX Enterprise Web Interface and AvantFAX.
- HylaFAX Enterprise Web Interface versions 1.3.1, 1.3.0, 1.2.0, and all 0.x releases are affected.
- AvantFAX versions 3.4.0, all 3.3.x releases, and all releases prior to 3.3.0 are also vulnerable.
iFAX Solutions has released corrected versions to patch this vulnerability.
- The corrected versions are 1.3.2 and 1.2.1 for HylaFAX Enterprise Web Interface.
- Version 3.4.1 is the corrected version for AvantFAX.
Given the severity of the vulnerability, with a CVSS 3.1 base value of 9.9, users of the affected products are strongly advised to update to the corrected versions as soon as possible.
Related Posts:
About The Author
