Published Security Vulnerabilities & Response
Profisee strives to make its software and services as secure as possible, using modern development standards, robust automated and manual testing as well as engaging professional third-party vulnerability testing firms.
Below is a list of detected vulnerabilities and our response. To learn more about our protocols for reporting security vulnerabilities, please visit https://profisee.com/security/vulnerabilities/.
Path Traversal Vulnerability | January 20, 2025
A Path Traversal vulnerability was recently identified in the File Attachment service that could be exploited by an attacker, but only if they already have a set of compromised credentials and a deep knowledge of the Profisee system. There is no known exploitation or data breach resulting from this vulnerability, and we are addressing this vulnerability proactively due to our commitment to maintaining your trust and securing your data. This vulnerability has been assigned CVE-2025-6240.
Summary of the Vulnerability
The vulnerability exists in the File Attachment service where user-supplied input is not properly sanitized. An attacker can exploit this flaw by crafting a malicious payload containing directory traversal sequences (e.g., ../) to access files outside the intended directory structure. This could potentially lead to:
- Unauthorized access to sensitive files, including configuration files or system files
- Modification of configuration files or system files that could compromise the system
Please note: Successful exploitation requires valid Profisee credentials and targeted API calls.
Affected Versions
This vulnerability affects Profisee Platform versions 2020R1 through 2024R2.
Our Response
Upon learning of this issue, we immediately developed and evaluated a fix for the upcoming 25R0 release. We are now back-porting those changes into hotfixes to address this vulnerability for all supported versions as well as 22R2 (out of support). Customers hosting Profisee themselves will be able to apply the hotfix, and it will automatically be applied for SaaS customers, based on the dates below:
| Affected Version | Hotfix Availability Date hotfix will be available for customers to deploy to customer-managed environments and can be deployed to SaaS environments. | SaaS Deployment (US and CA Regions) The next maintenance window when the hotfix will be automatically deployed to SaaS tenants in Profisee’s USA and Canada regions). | SaaS Deployment (All other regions) The next maintenance window when the hotfix will be automatically deployed to SaaS tenants in Profisee’s UK, EU, and AU regions). |
| 24R2 | January 23, 2025 | January 26, 2025 | January 24, 2025 |
| 24R1 | January 27, 2025 | February 23, 2025 | February 21, 2025 |
| 23R2 | January 29, 2025 | February 23, 2025 | February 21, 2025 |
| 23R1 | January 31, 2025 | February 23, 2025 | February 21, 2025 |
| 22R2 | February 4, 2025 | February 23, 2025 | February 2, 2025 |
| 22R1 and earlier | Not supported | N/A | N/A |
Next Steps
- Self-hosted Customers (installed): Login to the Profisee support portal to access the hotfix files. Documentation will be included, and if you need assistance, open a support case to assist in applying the hotfix.
- Self-hosted Customers (containerized): Updated container images will be published to Profisee’s container registry. Documentation will be provided for transitioning your environment into the hotfix container images. If you need assistance, open a support case to assist in applying the hotfix.
- SaaS Customers: No further action is needed, but you can request an earlier hotfix deployment into your tenant(s) if you prefer not to wait until the next regular maintenance window.
