CVE-2025-25224

Summary

The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.

Affected Software

VendorProductVersion RangeStatus
LuxSoftThe LuxCal Web Calendarprior to 5.3.3M (MySQL version)affected
LuxSoftThe LuxCal Web Calendarprior to 5.3.3L (SQLite version)affected

Weaknesses

  • CWE-306: Missing authentication for critical function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References