Path Traversal: '.../...//'

CVE-2025-59793

High

9.4/10

Summary

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-35 - Path Traversal: '.../...//'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

References

Advisory Timeline

Published Feb 17, 2026

Path Traversal: '.../...//'

CVE-2025-59793

Summary

CWE-35 - Path Traversal: '.../...//'

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS