CVE-2025-1598
Published: 24 February 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-1598 is a critical vulnerability in SourceCodester Best Church Management Software version 1.0, affecting an unknown functionality within the file /admin/app/asset_crud.php. The flaw enables unrestricted file upload through manipulation of the "photo1" argument and is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by an authenticated attacker possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to upload arbitrary files that could lead to further compromise depending on server configuration.
Advisories from VulDB indicate the vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are referenced. A proof-of-concept exploit has been publicly disclosed, including a detailed write-up on GitHub, increasing the risk of active exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted file upload in the web application (/admin/app/asset_crud.php) enables exploitation of public-facing applications (T1190) and facilitates deployment of web shells via arbitrary file upload (T1505.003).