CVE-2025-3115

Published: Apr 9, 2025Modified: Nov 11, 2025

9.4

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security@tibco.com (Secondary)

Description

Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution

Affected (27)

Products: Tibco: Spotfire Enterprise Runtime For R, Spotfire Statistics Services, Spotfire Analyst, Spotfire Deployment Kit, Spotfire Desktop, Spotfire Analytics Platform

Tibco

6 products

Spotfire Enterprise Runtime For R

Spotfire Statistics Services

Spotfire Analyst

Spotfire Deployment Kit

Spotfire Desktop

Spotfire Analytics Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Enterprise Runtime For R	Before 6.1.5

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Statistics Services	Before 14.0.7
Tibco Spotfire Statistics Services	Version 14.1.0
Tibco Spotfire Statistics Services	Version 14.2.0
Tibco Spotfire Statistics Services	Version 14.3.0
Tibco Spotfire Statistics Services	Version 14.4.0
Tibco Spotfire Statistics Services	Version 14.4.1

Configuration C

6 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Enterprise Runtime For R	Before 1.17.7
Tibco Spotfire Enterprise Runtime For R	Version 1.18.0
Tibco Spotfire Enterprise Runtime For R	Version 1.19.0
Tibco Spotfire Enterprise Runtime For R	Version 1.20.0
Tibco Spotfire Enterprise Runtime For R	Version 1.21.0
Tibco Spotfire Enterprise Runtime For R	Version 1.21.1

Configuration D

6 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Analyst	Before 14.0.6
Tibco Spotfire Analyst	Version 14.1.0
Tibco Spotfire Analyst	Version 14.2.0
Tibco Spotfire Analyst	Version 14.3.0
Tibco Spotfire Analyst	Version 14.4.0
Tibco Spotfire Analyst	Version 14.4.1

Configuration E

6 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Deployment Kit	Before 14.0.7
Tibco Spotfire Deployment Kit	Version 14.1.0
Tibco Spotfire Deployment Kit	Version 14.2.0
Tibco Spotfire Deployment Kit	Version 14.3.0
Tibco Spotfire Deployment Kit	Version 14.4.0
Tibco Spotfire Deployment Kit	Version 14.4.1

Configuration F

1 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Desktop	Before 14.4.2

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Tibco Spotfire Analytics Platform	Before 14.4.2

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (1)

https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/

Source: security@tibco.com

Timeline

No history available yet.