Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for AES by Altium

    CVE-2025-27380 (GCVE-0-2025-27380)

    Vulnerability from nvd – Published: 2026-01-22 01:28 – Updated: 2026-01-22 18:55
    VLAI
    Title
    HTML Injection Leading to Script Execution in Altium Enterprise Server
    Summary
    HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - – Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)
    Assigner
    Impacted products
    Vendor Product Version
    Altium AES Affected: 7.0.3 , ≤ 7.0.5 (semver)
    Create a notification for this product.
    Date Public
    2025-04-05 00:28
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T18:47:19.951599Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T18:55:23.707Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "web"
              ],
              "product": "AES",
              "vendor": "Altium",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.0.5",
                  "status": "affected",
                  "version": "7.0.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-04-05T00:28:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim\u2019s browser via crafted HTML content.\u003cbr\u003e"
                }
              ],
              "value": "HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim\u2019s browser via crafted HTML content."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 \u2013 Cross-Site Scripting"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 \u2013 Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T01:29:16.784Z",
            "orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
            "shortName": "Altium"
          },
          "references": [
            {
              "url": "https://www.altium.com/platform/security-compliance/security-advisories"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HTML Injection Leading to Script Execution in Altium Enterprise Server",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
        "assignerShortName": "Altium",
        "cveId": "CVE-2025-27380",
        "datePublished": "2026-01-22T01:28:24.200Z",
        "dateReserved": "2025-02-23T21:02:12.105Z",
        "dateUpdated": "2026-01-22T18:55:23.707Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27379 (GCVE-0-2025-27379)

    Vulnerability from nvd – Published: 2026-01-22 01:17 – Updated: 2026-01-22 19:19
    VLAI
    Title
    Stored Cross-Site Scripting in AES BOM Viewer
    Summary
    A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Altium AES Affected: 7.0.3 , ≤ 7.0.5 (semver)
    Create a notification for this product.
    Date Public
    2025-04-05 00:16
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T19:19:03.903479Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T19:19:24.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "BOM Viewer"
              ],
              "product": "AES",
              "vendor": "Altium",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.0.5",
                  "status": "affected",
                  "version": "7.0.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-04-05T00:16:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.\u003cbr\u003e"
                }
              ],
              "value": "A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T01:17:54.729Z",
            "orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
            "shortName": "Altium"
          },
          "references": [
            {
              "url": "https://www.altium.com/platform/security-compliance/security-advisories"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored Cross-Site Scripting in AES BOM Viewer",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
        "assignerShortName": "Altium",
        "cveId": "CVE-2025-27379",
        "datePublished": "2026-01-22T01:17:54.729Z",
        "dateReserved": "2025-02-23T21:02:12.105Z",
        "dateUpdated": "2026-01-22T19:19:24.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27378 (GCVE-0-2025-27378)

    Vulnerability from nvd – Published: 2026-01-22 01:06 – Updated: 2026-01-22 19:20
    VLAI
    Title
    SQL Injection in AES Due to Inactive SQL Parsing Configuration
    Summary
    AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Altium AES Affected: 7.0.3 , ≤ 7.0.5 (semver)
    Create a notification for this product.
    Date Public
    2025-04-05 00:18
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27378",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T19:19:50.310716Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T19:20:07.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SQL parsing logic",
                "Database query handling"
              ],
              "platforms": [
                "Web"
              ],
              "product": "AES",
              "vendor": "Altium",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.0.5",
                  "status": "affected",
                  "version": "7.0.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-04-05T00:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.\u003cbr\u003e"
                }
              ],
              "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            },
            {
              "capecId": "CAPEC-108",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-108 Command Injection"
                }
              ]
            },
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T01:18:38.259Z",
            "orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
            "shortName": "Altium"
          },
          "references": [
            {
              "url": "https://www.altium.com/platform/security-compliance/security-advisories"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SQL Injection in AES Due to Inactive SQL Parsing Configuration",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
        "assignerShortName": "Altium",
        "cveId": "CVE-2025-27378",
        "datePublished": "2026-01-22T01:06:19.022Z",
        "dateReserved": "2025-02-23T21:02:12.105Z",
        "dateUpdated": "2026-01-22T19:20:07.317Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27380 (GCVE-0-2025-27380)

    Vulnerability from cvelistv5 – Published: 2026-01-22 01:28 – Updated: 2026-01-22 18:55
    VLAI
    Title
    HTML Injection Leading to Script Execution in Altium Enterprise Server
    Summary
    HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - – Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)
    Assigner
    Impacted products
    Vendor Product Version
    Altium AES Affected: 7.0.3 , ≤ 7.0.5 (semver)
    Create a notification for this product.
    Date Public
    2025-04-05 00:28
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T18:47:19.951599Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T18:55:23.707Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "web"
              ],
              "product": "AES",
              "vendor": "Altium",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.0.5",
                  "status": "affected",
                  "version": "7.0.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-04-05T00:28:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim\u2019s browser via crafted HTML content.\u003cbr\u003e"
                }
              ],
              "value": "HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim\u2019s browser via crafted HTML content."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 \u2013 Cross-Site Scripting"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 \u2013 Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T01:29:16.784Z",
            "orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
            "shortName": "Altium"
          },
          "references": [
            {
              "url": "https://www.altium.com/platform/security-compliance/security-advisories"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HTML Injection Leading to Script Execution in Altium Enterprise Server",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
        "assignerShortName": "Altium",
        "cveId": "CVE-2025-27380",
        "datePublished": "2026-01-22T01:28:24.200Z",
        "dateReserved": "2025-02-23T21:02:12.105Z",
        "dateUpdated": "2026-01-22T18:55:23.707Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27379 (GCVE-0-2025-27379)

    Vulnerability from cvelistv5 – Published: 2026-01-22 01:17 – Updated: 2026-01-22 19:19
    VLAI
    Title
    Stored Cross-Site Scripting in AES BOM Viewer
    Summary
    A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    Altium AES Affected: 7.0.3 , ≤ 7.0.5 (semver)
    Create a notification for this product.
    Date Public
    2025-04-05 00:16
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T19:19:03.903479Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T19:19:24.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "BOM Viewer"
              ],
              "product": "AES",
              "vendor": "Altium",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.0.5",
                  "status": "affected",
                  "version": "7.0.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-04-05T00:16:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.\u003cbr\u003e"
                }
              ],
              "value": "A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T01:17:54.729Z",
            "orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
            "shortName": "Altium"
          },
          "references": [
            {
              "url": "https://www.altium.com/platform/security-compliance/security-advisories"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored Cross-Site Scripting in AES BOM Viewer",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
        "assignerShortName": "Altium",
        "cveId": "CVE-2025-27379",
        "datePublished": "2026-01-22T01:17:54.729Z",
        "dateReserved": "2025-02-23T21:02:12.105Z",
        "dateUpdated": "2026-01-22T19:19:24.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27378 (GCVE-0-2025-27378)

    Vulnerability from cvelistv5 – Published: 2026-01-22 01:06 – Updated: 2026-01-22 19:20
    VLAI
    Title
    SQL Injection in AES Due to Inactive SQL Parsing Configuration
    Summary
    AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Altium AES Affected: 7.0.3 , ≤ 7.0.5 (semver)
    Create a notification for this product.
    Date Public
    2025-04-05 00:18
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27378",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T19:19:50.310716Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-22T19:20:07.317Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SQL parsing logic",
                "Database query handling"
              ],
              "platforms": [
                "Web"
              ],
              "product": "AES",
              "vendor": "Altium",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.0.5",
                  "status": "affected",
                  "version": "7.0.3",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-04-05T00:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.\u003cbr\u003e"
                }
              ],
              "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            },
            {
              "capecId": "CAPEC-108",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-108 Command Injection"
                }
              ]
            },
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-22T01:18:38.259Z",
            "orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
            "shortName": "Altium"
          },
          "references": [
            {
              "url": "https://www.altium.com/platform/security-compliance/security-advisories"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SQL Injection in AES Due to Inactive SQL Parsing Configuration",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
        "assignerShortName": "Altium",
        "cveId": "CVE-2025-27378",
        "datePublished": "2026-01-22T01:06:19.022Z",
        "dateReserved": "2025-02-23T21:02:12.105Z",
        "dateUpdated": "2026-01-22T19:20:07.317Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }