CVE-2025-0346
Published: 09 January 2025
Description
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Security Summary
CVE-2025-0346 is a critical vulnerability in code-projects Content Management System version 1.0, affecting the /admin/publishnews.php file within the Publish News Page component. The issue stems from manipulation of the 'image' argument, enabling unrestricted file upload. Classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-09.
An attacker with high privileges, such as an authenticated administrator, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts: low confidentiality, integrity, and availability effects, potentially through uploading malicious files via the vulnerable endpoint.
Advisories and related details are documented on VulDB (ctiid.290859, id.290859, submit.476728), the project site at code-projects.org, and a public exploit gist at github.com/Lytes/266e5fa6eb4506fe2c7e35166664249a. No specific patch or mitigation steps are detailed in the available references.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unrestricted file upload vulnerability in the admin panel allows authenticated attackers to upload PHP webshells disguised as images, enabling web shell deployment (T1100, T1505.003), exploitation of a public-facing application (T1190), and staging of tools (T1608.002).