CRITICAL🇵🇱 Wersja polska

CVE-2025-34300

CVSS 10.0v4.0pub. 2025-07-16upd. 2026-04-15

A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the  ciwweb.pl http://ciwweb.pl/  Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

🤖 AI Analysis
How it works

The vulnerability results from improper input validation (CWE-20) and unsafe use of the template mechanism (CWE-1336) in an application written in Perl — ciwweb.pl. An attacker can provide specially crafted input data that will be interpreted as template code and executed on the server side. Since the exploit does not require any authentication, user interaction, or special network conditions, the attack can be conducted remotely by any entity with access to the application's web interface.

Impact

An unauthenticated attacker can execute arbitrary system commands on the server hosting the application, which in practice means full takeover of the system, including the possibility of data theft, malicious software installation, or lateral movement in the network.

Mitigation & patch

Sawtooth Software Lighthouse Studio should be immediately updated to version 9.16.14 or later in accordance with the version history available in the manufacturer's references. Until the update is implemented, it is recommended to limit network access to the application's web interface exclusively to trusted IP addresses using a firewall.

Who is affected

Sawtooth Software Lighthouse Studio in versions earlier than 9.16.14

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References