# CVE-2025-56218 Unrestricted File Upload
# Description
An attacker may upload an Excel file that contains a malicious script or a phishing URL. The application converts the file to PDF and forwards it to the intended recipient for digital signature. Because hyperlinks in the generated PDF are displayed with attacker-controlled text and no warning is presented, the recipient could be deceived into clicking the link and thereby triggering execution of malicious commands
------------------------------------------
# CVSS Score: 5.5 (Medium)
------------------------------------------
Attack Type
* Remote (Authenticated)
------------------------------------------
Affected Versions
* versions before <= 8.6.8
------------------------------------------
Vendor of Product
* Ascertia
------------------------------------------
Affected Product Code Base
* SigningHub
------------------------------------------
Affected Component
* File Upload Function.
------------------------------------------
Mitigations
* Scan the uploaded file before sending it to the target users
------------------------------------------
Vulnerability Details
* An attacker can upload a file containing malicious website/script and send it to a list of users. Through social engineering, users may be directed to the attacker’s phishing website, as the application does not scan uploaded file contents.
------------------------------------------
Fixed versions
* versions after > 8.6.8
------------------------------------------
Discovered By:
* Yazan Abu-Nadi
[4.0K] /data/pocs/e0bfe7d8a6dfd3abf437cce83b2e1ead76bf035a
└── [1.6K] README.md
1 directory, 1 file