CVE-2025-1555
Published: 21 February 2025
Description
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1555 is a critical vulnerability in hzmanyun Education and Training System 3.1.1, affecting the saveImage function. It enables unrestricted file upload through manipulation of the file argument, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-21.
Remote attackers can exploit this vulnerability without privileges or user interaction, initiating the attack over the network with low complexity. Successful exploitation allows uploading arbitrary files, resulting in low impacts to confidentiality, integrity, and availability.
Advisories from VulDB and a related GitHub report indicate that the vendor was contacted early about the disclosure but provided no response or patches. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)