CVE-2025-1676
Published: 25 February 2025
Description
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1676 is a critical vulnerability in the hzmanyun Education and Training System version 3.1.1, specifically affecting the pdf2swf function within the /pdf2swf file. The issue arises from manipulation of the "file" argument, enabling OS command injection, and is linked to CWE-77 and CWE-78. It was published on 2025-02-25 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows injection and execution of arbitrary operating system commands on the affected system, potentially compromising confidentiality, integrity, and availability to a low degree.
Advisories and further details are documented on VulDB (https://vuldb.com/?ctiid.296731, https://vuldb.com/?id.296731, https://vuldb.com/?submit.500507) and a GitHub report (https://github.com/Rain1er/report/blob/main/nxb/rce1.md). The exploit has been publicly disclosed and may be used.
The vulnerability's public exploit availability increases the risk of active exploitation in environments running the affected software.
Details
- CWE(s)