{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-34490", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.611Z", "datePublished": "2025-04-28T19:02:03.532Z", "dateUpdated": "2025-11-19T01:26:14.676Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MailEssentials", "vendor": "GFI", "versions": [{"lessThan": "21.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gfi:mailessentials:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.8", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Frycos"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files."}], "value": "GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-19T01:26:14.676Z"}, "references": [{"tags": ["exploit", "technical-description"], "url": "https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html"}, {"tags": ["vendor-advisory"], "url": "https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read"}], "source": {"discovery": "EXTERNAL"}, "title": "GFI MailEssentials < 21.8 XXE Arbitrary File Read", "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-28T19:43:48.514864Z", "id": "CVE-2025-34490", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-28T19:44:01.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34490", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-28T19:43:48.514864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-28T19:43:53.842Z"}}], "cna": {"title": "GFI MailEssentials < 21.8 XXE Arbitrary File Read", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Frycos"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GFI", "product": "MailEssentials", "versions": [{"status": "affected", "version": "0", "lessThan": "21.8", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html", "tags": ["exploit", "technical-description"]}, {"url": "https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.", "supportingMedia": [{"type": "text/html", "value": "GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gfi:mailessentials:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "21.8", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-19T01:26:14.676Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34490", "state": "PUBLISHED", "dateUpdated": "2025-11-19T01:26:14.676Z", "dateReserved": "2025-04-15T19:15:22.611Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-04-28T19:02:03.532Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gfi:mailessentials:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF05D573-6502-4902-95CC-59E8F15A38FC", "versionEndExcluding": "21.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files."}, {"lang": "es", "value": "Las versiones anteriores a la 21.8 de GFI MailEssentials son vulnerables a un problema de entidad externa XML (XXE). Un atacante remoto autenticado puede enviar solicitudes HTTP manipuladas para leer archivos arbitrarios del sistema."}], "id": "CVE-2025-34490", "lastModified": "2025-11-04T23:15:36.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-28T19:15:47.050", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit"], "url": "https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}