References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

OR
          *cpe:2.3:a:unblu:spark:*:*:*:*:*:*:*:* versions from (including) 7.0.1 up to (excluding) 7.54.1
          *cpe:2.3:a:unblu:spark:*:*:*:*:*:*:*:* versions from (including) 8.0.1 up to (excluding) 8.13.1

Switzerland Government Common Vulnerability Program: https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-002 Types: Vendor Advisory

CWE-284

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled.

The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly.

If file sharing is generally enabled, this issue is not of concern.

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-002