CVE-2025-1588
Published: 23 February 2025
Description
A vulnerability has been found in PHPGurukul Online Nurse Hiring System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/manage-nurse.php. The manipulation of the argument profilepic leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting vulnerability classes.
Security Summary
CVE-2025-1588 is a path traversal vulnerability classified as critical in PHPGurukul Online Nurse Hiring System 1.0. It affects unknown code within the file /admin/manage-nurse.php, where manipulation of the profilepic argument enables traversal sequences such as '../filedir'. The issue, associated with CWEs-22, CWE-23, and CWE-24, was published on 2025-02-23 and carries a CVSS v3.1 base score of 6.5.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity over the network. Exploitation allows limited impacts to integrity (I:L) and availability (A:L), with no confidentiality loss, potentially enabling unauthorized file operations outside the intended directory via the manipulated profilepic parameter.
Advisories from VulDB (ctiid.296572, id.296572, submit.505441) and a GitHub issue (wqywfvc/CVE/issues/16) detail the vulnerability, noting public disclosure of the exploit which may be used by attackers. The vendor site phpgurukul.com is referenced, though specific mitigation or patch details are not outlined in these initial reports; the researcher advisory mentions contradicting vulnerability classes.
Details
- CWE(s)