CVE-2025-25223

Summary

The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.

Affected Software

VendorProductVersion RangeStatus
LuxSoftThe LuxCal Web Calendarprior to 5.3.3M (MySQL version)affected
LuxSoftThe LuxCal Web Calendarprior to 5.3.3L (SQLite version)affected

Weaknesses

  • CWE-22: Improper limitation of a pathname to a restricted directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References