TVN IFTOP Multiple Vulnerabilities Advisory: LFI, SQLi, XSS, Path Traversal (CVE-2025-8909~8914)

Key Information TVN ID TVN-202508D002 CVE ID CVE-2025-8909 CVE-2025-8910 CVE-2025-8911 CVE-2025-8912 CVE-2025-8913 CVE-2025-8914 CVSS CVE-2025-8909: 6.5 (Medium) CVE-2025-8910, CVE-2025-8911: 5.1 (Medium) CVE-2025-8912: 7.5 (High) CVE-2025-8913: 9.8 (Critical) CVE-2025-8914: 6.5 (Medium) Affected Products Single Sign-On and Electronic Directory Service System IFTOP_P3_2_1_196 (inclusive) and earlier versions Vulnerability Description CVE-2025-8909: Arbitrary File Reading – A remote attacker with general privileges can exploit Absolute Path Traversal to download arbitrary system files. CVE-2025-8910, CVE-2025-8911: Reflected Cross-Site Scripting – An unauthenticated remote attacker can exploit phishing attacks to execute arbitrary JavaScript code in the victim’s browser. CVE-2025-8912: Arbitrary File Reading – An unauthenticated remote attacker can exploit Absolute Path Traversal to download arbitrary system files. CVE-2025-8913: Local File Inclusion – An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on the server. CVE-2025-8914: SQL Injection – An unauthenticated remote attacker can inject arbitrary SQL commands to read database contents. Remediation Upgrade to version IFTOP_P3_2_1_197 (inclusive) or later Contact for Vulnerability Lai Yu-Jen (Chunghwa Cyber Security International), BTTest (Chunghwa Cyber Security International) Public Disclosure Date 2025-08-13

Goal Reached Thanks to every supporter — we hit 100%!

TVN IFTOP Multiple Vulnerabilities Advisory: LFI, SQLi, XSS, Path Traversal (CVE-2025-8909~8914)