Security advisory

Details of security vulnerabilities affecting UNICOM products.

CVE IDTypeDescriptionFound inFixed inCredit
CVE-2025-43923SQL injectionA user who has administrative privilege in Focal Point can perform SQL injection via the image parameter during a delete report image operation.Focal Point 7.2.0 to 7.6.2 Focal Point 7.7 Ianis BERNARD from NATO Cyber Security Centre (NCSC)
CVE-2025-43924Cross Site Scripting (XSS)The val parameter in SettingController and the rootserviceurl parameter in FriendsController, entered by an admin, allow stored XSS.Focal Point 7.2.0 to 7.6.2 Focal Point 7.7 Ianis BERNARD from NATO Cyber Security Centre (NCSC)
CVE-2025-43925Hard-coded cryptographic keySome information stored in the database is encrypted with a hardcoded key, making it easier to recover the cleartext data.Focal Point 7.2.0 to 7.6.2 Focal Point 7.7 Ianis BERNARD from NATO Cyber Security Centre (NCSC)