cbcvebase.

Axxonsoft Axxon One vulnerabilities

8 known vulnerabilities affecting axxonsoft/axxon_one.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2025-10220P2CRITICALCVSS 9.8≥ 2.0.0, ≤ 2.0.42025-09-10
CVE-2025-10220 [CRITICAL] CWE-1104 CVE-2025-10220: Use of Unmaintained Third Party Components (CWE-1104) in the NuGet dependency components in AxxonSof Use of Unmaintained Third Party Components (CWE-1104) in the NuGet dependency components in AxxonSoft Axxon One VMS 2.0.0 through 2.0.4 on Windows allows a remote attacker to execute arbitrary code or bypass security features via exploitation of vulnerable third-party packages such as Google.Protobuf, DynamicData, System.Runtime.CompilerServices.
nvd
CVE-2025-10226P3CRITICALCVSS 9.8≤ 2.0.82025-09-10
CVE-2025-10226 [CRITICAL] CWE-1395 CVE-2025-10226: Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axx Dependency on Vulnerable Third-Party Component (CWE-1395) in the PostgreSQL backend in AxxonSoft Axxon One (C-Werk) 2.0.8 and earlier on Windows and Linux allows a remote attacker to escalate privileges, execute arbitrary code, or cause denial-of-service via exploitation of multiple known CVEs present in PostgreSQL v10.x, which are resolved in Po
nvd
CVE-2025-10223P3HIGHCVSS 8.1≤ 2.0.22025-09-10
CVE-2025-10223 [HIGH] CWE-613 CVE-2025-10223: Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) pri Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an unexpired session token until natural expiration.
nvd
CVE-2025-10224P3HIGHCVSS 7.1≤ 2.0.22025-09-10
CVE-2025-10224 [HIGH] CWE-287 CVE-2025-10224: Improper Authentication (CWE-287) in the LDAP authentication engine in AxxonSoft Axxon One (C-Werk) Improper Authentication (CWE-287) in the LDAP authentication engine in AxxonSoft Axxon One (C-Werk) 2.0.2 and earlier on Windows allows a remote authenticated user to be denied access or misassigned roles via incorrect evaluation of nested LDAP group memberships during login.
nvd
CVE-2025-10225P3HIGHCVSS 7.5≤ 2.0.62025-09-10
CVE-2025-10225 [HIGH] CWE-119 CVE-2025-10225: Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) in the OpenSSL-bas Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) in the OpenSSL-based session module in AxxonSoft Axxon One (C-Werk) 2.0.6 and earlier on Windows allows a remote attacker under high load conditions to cause application crashes or unpredictable behavior via triggering memory reallocation errors when handling expired ses
nvd
CVE-2025-10221P4MEDIUMCVSS 5.5≤ 2.0.42025-09-10
CVE-2025-10221 [MEDIUM] CWE-532 CVE-2025-10221: Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft A Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet / C-WerkNet 2.0.4 and earlier on Windows platforms allows a local attacker to obtain plaintext credentials via reading TRACE log files containing serialized JSON with passwords.
nvd
CVE-2025-10227P4MEDIUMCVSS 4.6fixed in 2.0.82025-09-10
CVE-2025-10227 [MEDIUM] CWE-311 CVE-2025-10227: Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon On Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported storage or stolen physical drives to extract sensitive archive data in plaintext via lack of encryption at rest.
nvd
CVE-2025-10222P4LOWCVSS 3.3≥ 2.0.0, < 2.0.22025-09-10
CVE-2025-10222 [LOW] CWE-200 CVE-2025-10222: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) in the diagnostic dump componen Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) in the diagnostic dump component in AxxonSoft Axxon One VMS (C-Werk) 2.0.0 through 2.0.1 on Windows allows a local attacker to obtain licensing-related information such as timestamps, license states, and registry values via reading diagnostic export files created by the built-in troub
nvd