CVE-2025-3518

CVE Database · CVE-2025-3518

CVE-2025-3518

· MEDIUMAnalyzed

CVSS v3.1

4.3

CVSS v4.0

5.3

EPSS

0.20%

Published

Apr 22, 2025

Modified

Jun 23, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly. If file sharing is generally enabled, this issue is not of concern.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-284

Affected Products (2)

unblu · spark (up to 7.54.1)vulnerable

unblu · spark (up to 8.13.1)vulnerable

References (1)

https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-002

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs