### Critical Vulnerability Information #### CVE-2025-1980 - **Vulnerability Type**: Unrestricted Upload of File with Dangerous Type (CWE-434) - **Vulnerable Versions**: From 7.0.0.0 through 7.19.39.23 - **Description**: The Ready_ application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, it can result in Remote Code Execution. #### CVE-2025-1981 - **Vulnerability Type**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) - **Vulnerable Versions**: From 7.0.0.0 through 7.19.39.23 - **Description**: Improper neutralization of input provided by a low-privileged user into a file search functionality allows for SQL Injection attacks. #### CVE-2025-1982 - **Vulnerability Type**: Files or Directories Accessible to External Parties (CWE-552) - **Vulnerable Versions**: From 7.0.0.0 through 7.19.39.23 - **Description**: Local File Inclusion vulnerability allows a low-privileged user to provide a link to a local file using the file:// protocol, allowing the attacker to read content of the file. #### CVE-2025-1983 - **Vulnerability Type**: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) - **Vulnerable Versions**: From 7.0.0.0 through 7.19.39.23 - **Description**: A cross-site scripting (XSS) vulnerability in the File Explorer upload functionality allows injection of arbitrary JavaScript code in the filename, which is executed when a user interacts with the uploaded file.