Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Sparx Pro Cloud Server by Sparx Systems Pty Ltd.

    CVE-2025-15625 (GCVE-0-2025-15625)

    Vulnerability from nvd – Published: 2026-04-17 08:38 – Updated: 2026-04-17 11:46
    VLAI
    Title
    Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server
    Summary
    Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Pasi Orovuo, Solita Oy Henri Hämäläinen, Solita Oy Samu Ahvenainen, Solita Oy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T11:46:00.424270Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T11:46:37.537Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Sparx Pro Cloud Server",
              "vendor": "Sparx Systems Pty Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.163"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pasi Orovuo, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Samu Ahvenainen, Solita Oy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan\u003eUnauthenticated user is able to\u0026nbsp;\u003c/span\u003eexecute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated user is able to\u00a0execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T08:38:59.972Z",
            "orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
            "shortName": "NCSC-FI"
          },
          "references": [
            {
              "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
        "assignerShortName": "NCSC-FI",
        "cveId": "CVE-2025-15625",
        "datePublished": "2026-04-17T08:38:59.972Z",
        "dateReserved": "2026-04-09T08:02:35.360Z",
        "dateUpdated": "2026-04-17T11:46:37.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15624 (GCVE-0-2025-15624)

    Vulnerability from nvd – Published: 2026-04-17 08:38 – Updated: 2026-04-17 11:58
    VLAI
    Title
    Plaintext Storage of a Password in Sparx Pro Cloud Server.
    Summary
    Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.  In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-256 - Plaintext Storage of a Password
    Assigner
    Impacted products
    Credits
    Pasi Orovuo, Solita Oy Henri Hämäläinen, Solita Oy Samu Ahvenainen, Solita Oy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15624",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T11:53:16.068396Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T11:58:38.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Sparx Pro Cloud Server",
              "vendor": "Sparx Systems Pty Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.163"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pasi Orovuo, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Samu Ahvenainen, Solita Oy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u0026nbsp;\nIn a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext."
                }
              ],
              "value": "Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u00a0\nIn a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-256",
                  "description": "CWE-256: Plaintext Storage of a Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T08:38:36.968Z",
            "orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
            "shortName": "NCSC-FI"
          },
          "references": [
            {
              "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Plaintext Storage of a Password in Sparx Pro Cloud Server.",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
        "assignerShortName": "NCSC-FI",
        "cveId": "CVE-2025-15624",
        "datePublished": "2026-04-17T08:38:36.968Z",
        "dateReserved": "2026-04-09T08:02:32.647Z",
        "dateUpdated": "2026-04-17T11:58:38.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15623 (GCVE-0-2025-15623)

    Vulnerability from nvd – Published: 2026-04-17 08:37 – Updated: 2026-04-17 12:19
    VLAI
    Title
    Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user
    Summary
    Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    Impacted products
    Credits
    Pasi Orovuo, Solita Oy Henri Hämäläinen, Solita Oy Samu Ahvenainen, Solita Oy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15623",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T12:00:21.330537Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T12:19:21.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Sparx Pro Cloud Server",
              "vendor": "Sparx Systems Pty Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.163"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pasi Orovuo, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Samu Ahvenainen, Solita Oy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cspan\u003eExposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003cspan\u003eUnauthenticated user can retrieve database password in plaintext in certain situations\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\n\nUnauthenticated user can retrieve database password in plaintext in certain situations"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-497",
                  "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T08:37:27.611Z",
            "orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
            "shortName": "NCSC-FI"
          },
          "references": [
            {
              "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
        "assignerShortName": "NCSC-FI",
        "cveId": "CVE-2025-15623",
        "datePublished": "2026-04-17T08:37:27.611Z",
        "dateReserved": "2026-04-09T08:02:30.837Z",
        "dateUpdated": "2026-04-17T12:19:21.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15625 (GCVE-0-2025-15625)

    Vulnerability from cvelistv5 – Published: 2026-04-17 08:38 – Updated: 2026-04-17 11:46
    VLAI
    Title
    Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server
    Summary
    Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Pasi Orovuo, Solita Oy Henri Hämäläinen, Solita Oy Samu Ahvenainen, Solita Oy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T11:46:00.424270Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T11:46:37.537Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Sparx Pro Cloud Server",
              "vendor": "Sparx Systems Pty Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.163"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pasi Orovuo, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Samu Ahvenainen, Solita Oy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan\u003eUnauthenticated user is able to\u0026nbsp;\u003c/span\u003eexecute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated user is able to\u00a0execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T08:38:59.972Z",
            "orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
            "shortName": "NCSC-FI"
          },
          "references": [
            {
              "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
        "assignerShortName": "NCSC-FI",
        "cveId": "CVE-2025-15625",
        "datePublished": "2026-04-17T08:38:59.972Z",
        "dateReserved": "2026-04-09T08:02:35.360Z",
        "dateUpdated": "2026-04-17T11:46:37.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15624 (GCVE-0-2025-15624)

    Vulnerability from cvelistv5 – Published: 2026-04-17 08:38 – Updated: 2026-04-17 11:58
    VLAI
    Title
    Plaintext Storage of a Password in Sparx Pro Cloud Server.
    Summary
    Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.  In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-256 - Plaintext Storage of a Password
    Assigner
    Impacted products
    Credits
    Pasi Orovuo, Solita Oy Henri Hämäläinen, Solita Oy Samu Ahvenainen, Solita Oy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15624",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T11:53:16.068396Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T11:58:38.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Sparx Pro Cloud Server",
              "vendor": "Sparx Systems Pty Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.163"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pasi Orovuo, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Samu Ahvenainen, Solita Oy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u0026nbsp;\nIn a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext."
                }
              ],
              "value": "Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u00a0\nIn a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-256",
                  "description": "CWE-256: Plaintext Storage of a Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T08:38:36.968Z",
            "orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
            "shortName": "NCSC-FI"
          },
          "references": [
            {
              "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Plaintext Storage of a Password in Sparx Pro Cloud Server.",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
        "assignerShortName": "NCSC-FI",
        "cveId": "CVE-2025-15624",
        "datePublished": "2026-04-17T08:38:36.968Z",
        "dateReserved": "2026-04-09T08:02:32.647Z",
        "dateUpdated": "2026-04-17T11:58:38.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15623 (GCVE-0-2025-15623)

    Vulnerability from cvelistv5 – Published: 2026-04-17 08:37 – Updated: 2026-04-17 12:19
    VLAI
    Title
    Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user
    Summary
    Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    Impacted products
    Credits
    Pasi Orovuo, Solita Oy Henri Hämäläinen, Solita Oy Samu Ahvenainen, Solita Oy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15623",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T12:00:21.330537Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T12:19:21.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Sparx Pro Cloud Server",
              "vendor": "Sparx Systems Pty Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.0.163"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pasi Orovuo, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Samu Ahvenainen, Solita Oy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cspan\u003eExposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003cspan\u003eUnauthenticated user can retrieve database password in plaintext in certain situations\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\n\nUnauthenticated user can retrieve database password in plaintext in certain situations"
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-497",
                  "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T08:37:27.611Z",
            "orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
            "shortName": "NCSC-FI"
          },
          "references": [
            {
              "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
        "assignerShortName": "NCSC-FI",
        "cveId": "CVE-2025-15623",
        "datePublished": "2026-04-17T08:37:27.611Z",
        "dateReserved": "2026-04-09T08:02:30.837Z",
        "dateUpdated": "2026-04-17T12:19:21.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }