Security Advisories

Description

Altium 24.9.0 does not validate the self signed server certificate, including for cloud connections. This allows for MITM attacks that can steal sensitive data including authentication credentials or design data.

CVSS: 5.3

Detail of Vulnerability: CVE-2025-27377

Affected Products

• Product: Altium Designer, AES
• Affected version: 24.9
• Mitigated version: 25.2

Recommendations

• Update to latest version

Revision History

• Revision: 1.0
• Date: 17 Mar 2025
• Description: Initial release of security advisory

Description

BOM Viewer on AES7.0.3 does not sanitize all fields. Script execution can be achieved by creating a schematic with a javascript payload in the Description field

CVSS: 6.1
Detail of Vulnerability: CVE-2025-27379

Affected Products

• Product: AES
• Affected version: 7.0.3
• Mitigated version: 7.0.6

Recommendations

• Update to latest version

Revision History

• Revision: 1.0
• Date: 17 Mar 2025
• Description: Initial release of security advisory

Description

An inactive configuration allows SQL injection to occur by not activating the latest implementation of SQL parsing logic.

CVSS: 8.5
Detail of Vulnerability: CVE-2025-27378

Affected Products

• Product: AES
• Affected version: 7.0.3
• Mitigated version: 7.0.6

Recommendations

• Update to latest version

Revision History

• Revision: 1.0
• Date: 17 Mar 2025
• Description: Initial release of security advisory

Description

Stealing Session ID through Project Release.

CVSS: 7.6
Detail of Vulnerability: CVE-2025-27380

Affected Products

• Product: AES
• Affected version: 7.0.3
• Mitigated version: 7.0.6

Recommendations

• Update to latest version

Revision History

• Revision: 1.0
• Date: 17 Mar 2025
• Description: Initial release of security advisory