{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2954", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-03-29T19:39:01.052Z", "datePublished": "2025-03-30T16:31:05.242Z", "dateUpdated": "2025-03-31T13:04:26.725Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-03-30T16:31:05.242Z"}, "title": "mannaandpoem OpenManus File file_saver.py execute access control", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "mannaandpoem", "product": "OpenManus", "versions": [{"version": "2025.3.0", "status": "affected"}, {"version": "2025.3.1", "status": "affected"}, {"version": "2025.3.2", "status": "affected"}, {"version": "2025.3.3", "status": "affected"}, {"version": "2025.3.4", "status": "affected"}, {"version": "2025.3.5", "status": "affected"}, {"version": "2025.3.6", "status": "affected"}, {"version": "2025.3.7", "status": "affected"}, {"version": "2025.3.8", "status": "affected"}, {"version": "2025.3.9", "status": "affected"}, {"version": "2025.3.10", "status": "affected"}, {"version": "2025.3.11", "status": "affected"}, {"version": "2025.3.12", "status": "affected"}, {"version": "2025.3.13", "status": "affected"}], "modules": ["File Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in mannaandpoem OpenManus up to 2025.3.13. This affects the function execute of the file app/tool/file_saver.py of the component File Handler. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Es wurde eine problematische Schwachstelle in mannaandpoem OpenManus bis 2025.3.13 gefunden. Es geht dabei um die Funktion execute der Datei app/tool/file_saver.py der Komponente File Handler. Mit der Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:N"}}], "timeline": [{"time": "2025-03-29T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-03-29T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-03-29T20:44:18.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "s0l42 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.302007", "name": "VDB-302007 | mannaandpoem OpenManus File file_saver.py execute access control", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.302007", "name": "VDB-302007 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.521545", "name": "Submit #521545 | OpenManus 2025.3.13 Arbitrary File Writing", "tags": ["third-party-advisory"]}, {"url": "https://magnificent-dill-351.notion.site/Arbitrary-File-Writing-in-OpenManus-2025-3-13-1b9c693918ed805e8e7fd35a896d2d41", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://magnificent-dill-351.notion.site/Arbitrary-File-Writing-in-OpenManus-2025-3-13-1b9c693918ed805e8e7fd35a896d2d41", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T13:04:20.884552Z", "id": "CVE-2025-2954", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T13:04:26.725Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "mannaandpoem OpenManus File file_saver.py execute access control", "credits": [{"lang": "en", "type": "reporter", "value": "s0l42 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:N"}}], "affected": [{"vendor": "mannaandpoem", "modules": ["File Handler"], "product": "OpenManus", "versions": [{"status": "affected", "version": "2025.3.0"}, {"status": "affected", "version": "2025.3.1"}, {"status": "affected", "version": "2025.3.2"}, {"status": "affected", "version": "2025.3.3"}, {"status": "affected", "version": "2025.3.4"}, {"status": "affected", "version": "2025.3.5"}, {"status": "affected", "version": "2025.3.6"}, {"status": "affected", "version": "2025.3.7"}, {"status": "affected", "version": "2025.3.8"}, {"status": "affected", "version": "2025.3.9"}, {"status": "affected", "version": "2025.3.10"}, {"status": "affected", "version": "2025.3.11"}, {"status": "affected", "version": "2025.3.12"}, {"status": "affected", "version": "2025.3.13"}]}], "timeline": [{"lang": "en", "time": "2025-03-29T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-03-29T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-03-29T20:44:18.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.302007", "name": "VDB-302007 | mannaandpoem OpenManus File file_saver.py execute access control", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.302007", "name": "VDB-302007 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.521545", "name": "Submit #521545 | OpenManus 2025.3.13 Arbitrary File Writing", "tags": ["third-party-advisory"]}, {"url": "https://magnificent-dill-351.notion.site/Arbitrary-File-Writing-in-OpenManus-2025-3-13-1b9c693918ed805e8e7fd35a896d2d41", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in mannaandpoem OpenManus up to 2025.3.13. This affects the function execute of the file app/tool/file_saver.py of the component File Handler. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Es wurde eine problematische Schwachstelle in mannaandpoem OpenManus bis 2025.3.13 gefunden. Es geht dabei um die Funktion execute der Datei app/tool/file_saver.py der Komponente File Handler. Mit der Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-03-30T16:31:05.242Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2954", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T13:04:20.884552Z"}}}], "references": [{"url": "https://magnificent-dill-351.notion.site/Arbitrary-File-Writing-in-OpenManus-2025-3-13-1b9c693918ed805e8e7fd35a896d2d41", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-03-31T13:04:12.800Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-2954", "state": "PUBLISHED", "dateUpdated": "2025-03-30T16:31:05.242Z", "dateReserved": "2025-03-29T19:39:01.052Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-03-30T16:31:05.242Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mannaandpoem:openmanus:*:*:*:*:*:*:*:*", "matchCriteriaId": "C116E0F1-1817-4AC6-977E-6DA6BB5D4204", "versionEndIncluding": "2025.3.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in mannaandpoem OpenManus up to 2025.3.13. This affects the function execute of the file app/tool/file_saver.py of the component File Handler. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad clasificada como problem\u00e1tica en mannaandpoem OpenManus hasta la versi\u00f3n 2025.3.13. Esta afecta la funci\u00f3n de ejecuci\u00f3n del archivo app/tool/file_saver.py del componente File Handler. La manipulaci\u00f3n genera controles de acceso inadecuados. Se requiere acceso local para abordar este ataque. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2025-2954", "lastModified": "2025-04-15T17:57:44.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-03-30T17:15:19.890", "references": [{"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://magnificent-dill-351.notion.site/Arbitrary-File-Writing-in-OpenManus-2025-3-13-1b9c693918ed805e8e7fd35a896d2d41"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.302007"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.302007"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.521545"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Broken Link"], "url": "https://magnificent-dill-351.notion.site/Arbitrary-File-Writing-in-OpenManus-2025-3-13-1b9c693918ed805e8e7fd35a896d2d41"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}