Skip to main content

Gmission Web Fax CVE-2025-15070

MEDIUM
Information Exposure (CWE-200)
2025-12-29 09832df1-09c1-45b4-8a85-16c601d30feb
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 02:32 vuln.today

DescriptionCVE.org

Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.

This issue affects Web Fax: from 3.0 before 3.0.1

AnalysisAI

Sensitive information disclosure in Gmission Web Fax 3.0 (before 3.0.1) enables a locally authenticated low-privileged user to access protected fax data without proper authorization. The root cause is missing authorization checks (CWE-200) that can be abused by an authenticated local actor to read confidential information beyond their intended access scope. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

The vulnerability affects the Gmission Web Fax software platform (cpe:2.3:a:gmission:web_fax:*:*:*:*:*:*:*:*), a web-based fax management application developed by Gmission (South Korean vendor). The root cause class is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), arising from absent or insufficient server-side authorization enforcement. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms the flaw is exploitable locally with low-complexity conditions requiring only low-privilege credentials, with no attack target prerequisites and no user interaction. The 'Authentication Abuse' tag indicates that the authentication mechanism is present but the application fails to enforce downstream authorization - a low-privileged authenticated session can be leveraged to reach data objects the user should not be permitted to access.

RemediationAI

The primary fix is to upgrade Gmission Web Fax to version 3.0.1, which addresses the missing authorization controls. The vendor advisory is available at https://www.gmission.co.kr/fax1. If immediate upgrade is not possible, organizations should restrict local system access to the Web Fax application to only those users who require full access to sensitive fax data - for example, by enforcing OS-level access controls or limiting application account provisioning to reduce the pool of low-privileged users who can authenticate. Network-level controls are not applicable given the local attack vector. Tightening session and role-based access controls at the application layer, if configurable outside the patch, may also reduce exposure while awaiting upgrade.

Share

CVE-2025-15070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy