CVE-2025-2035
Published: 06 March 2025
Description
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Security Summary
CVE-2025-2035 is a critical vulnerability in s-a-zhd Ecommerce-Website-using-PHP version 1.0, affecting an unknown functionality within the /customer_register.php file. The issue arises from manipulation of the "name" argument, enabling unrestricted file upload. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges, such as a registered user, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling the upload of malicious files through the customer registration process.
Advisories provide further details via VulDB entries (ctiid.298778, id.298778, submit.512404) and websecurityinsights.my.id. No specific patches or mitigations are detailed in the available information.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted file upload in public-facing PHP web application (/customer_register.php) enables exploitation of public-facing applications (T1190) and staging tools/malware by uploading arbitrary dangerous files for execution (T1608.002), as explicitly mapped in advisories and leading to RCE.