MidnightBSD

Advisories for area9lyceum

CVE-2025-67810

In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
area9lyceum rhapsode 1.47.3
CVE-2025-67811

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4 and beyond.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
area9lyceum rhapsode_learner 1.47.3
area9lyceum rhapsode 1.47.3