cbcvebase.

Sparx Systems Pro Cloud Server vulnerabilities

7 known vulnerabilities affecting sparx_systems/pro_cloud_server.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-42097P2HIGHCVSS 8.8≤ 6.12026-05-19
CVE-2026-42097 [HIGH] CWE-639 CVE-2026-42097: Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "mod Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vul
nvd
CVE-2026-42096P2HIGHCVSS 8.8≤ 6.12026-05-19
CVE-2026-42096 [HIGH] CWE-863 CVE-2026-42096: Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version r
nvd
CVE-2026-42099P3HIGHCVSS 7.5≤ 6.12026-05-19
CVE-2026-42099 [HIGH] CWE-362 CVE-2026-42099: Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php e Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents
nvd
CVE-2025-4377P3HIGHCVSS 8.3≤ 6.0.1632025-05-09
CVE-2025-4377 [HIGH] CWE-20 CVE-2025-4377: Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud S Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server. This vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem. Logview is accessible on Pro Cloud Server Configuration interface. This issue affects Pro Cloud Server: earlier than 6.0.165.
nvd
CVE-2026-42100P3HIGHCVSS 7.5≤ 6.12026-05-19
CVE-2026-42100 [HIGH] CWE-228 CVE-2026-42100: Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Serv Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability
nvd
CVE-2025-4375P4MEDIUMCVSS 6.9≤ 6.0.142025-05-09
CVE-2025-4375 [MEDIUM] CWE-352 CVE-2025-4375: Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password. This issue affects Pro Cloud Server: earlier than 6.0.165.
nvd
CVE-2025-4376P4MEDIUMCVSS 5.3≤ 6.0.1642025-05-09
CVE-2025-4376 [MEDIUM] CWE-20 CVE-2025-4376: Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server's WebEA model search field Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server's WebEA model search field allows Cross-Site Scripting (XSS). This issue affects Pro Cloud Server: earlier than 6.0.165.
nvd
Sparx Systems Pro Cloud Server vulnerabilities | cvebase