Description

Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions.
Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution

Classification

CVE ID: CVE-2025-3115

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Products

Vendor: Spotfire, Spotfire, Spotfire, Spotfire, Spotfire, Spotfire, Spotfire, Spotfire

Product: Spotfire Statistics Services, Spotfire Analyst, Deployment Kit used in Spotfire Server, Spotfire Desktop, Spotfire for AWS Marketplace, Spotfire Enterprise Runtime for R - Server Edition, Spotfire Service for Python, Spotfire Service for R

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 24.44% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3115
https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/

Timeline