Home Trust Center Security Advisories
trust-center-ico-6.svg

Security Advisories

This page contains important information regarding security vulnerabilities
that could affect specific versions of Altium 365 products or services.

Report Vulnerability

Security advisories for 2024

Self signed certificate validation missing - AD

Altium 24.9.0 does not validate the self signed server certificate, including for cloud connections.

Description

Altium 24.9.0 does not validate the self signed server certificate, including for cloud connections. This allows for MITM attacks that can steal sensitive data including authentication credentials or design data.

CVSS: 5.3

Detail of Vulnerability: CVE-2025-27377

Affected Products
  • Product: Altium Designer, AES
  • Affected version: 24.9
  • Mitigated version: 25.2
Recommendations
  • Update to latest version
Revision History
  • Revision: 1.0
  • Date: 17 Mar 2025
  • Description: Initial release of security advisory
Show Details Show Less

XSS in BOM Viewer - AES

BOM Viewer on AES7.0.3 does not sanitize all fields. 

Description

BOM Viewer on AES7.0.3 does not sanitize all fields. Script execution can be achieved by creating a schematic with a javascript payload in the Description field

CVSS: 6.1
Detail of Vulnerability: CVE-2025-27379

Affected Products
  • Product: AES
  • Affected version: 7.0.3
  • Mitigated version: 7.0.6
Recommendations
  • Update to latest version
Revision History
  • Revision: 1.0
  • Date: 17 Mar 2025
  • Description: Initial release of security advisory
Show Details Show Less

SQL Injection - AES

An inactive configuration allows SQL injection to occur by not activating the latest implementation of SQL parsing logic.

Description

An inactive configuration allows SQL injection to occur by not activating the latest implementation of SQL parsing logic.

CVSS: 8.5
Detail of Vulnerability: CVE-2025-27378

Affected Products
  • Product: AES
  • Affected version: 7.0.3
  • Mitigated version: 7.0.6
Recommendations
  • Update to latest version
Revision History
  • Revision: 1.0
  • Date: 17 Mar 2025
  • Description: Initial release of security advisory
Show Details Show Less

HTML injection - AES

Altium Enterprise Server is vulnerable to an HTML injection attack that allows the execution of arbitrary javascript.

Description

Stealing Session ID through Project Release.

CVSS: 7.6
Detail of Vulnerability: CVE-2025-27380

Affected Products
  • Product: AES
  • Affected version: 7.0.3
  • Mitigated version: 7.0.6
Recommendations
  • Update to latest version
Revision History
  • Revision: 1.0
  • Date: 17 Mar 2025
  • Description: Initial release of security advisory
Show Details Show Less