CVE-2025-2038
Published: 06 March 2025
Description
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Security Summary
CVE-2025-2038 is a critical vulnerability in code-projects Blood Bank Management System 1.0, affecting unknown processing of the /upload/ file or endpoint. It enables exposure of information through directory listing, mapped to CWE-548 (Files or Directories Accessible to External Parties) and CWE-552 (Files or Directories Accessible to External Parties). The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-06.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and low complexity, requiring no user interaction. Exploitation involves manipulating the /upload/ endpoint to trigger directory listing, resulting in information disclosure with low impacts on confidentiality, integrity, and availability.
Advisories referenced on VulDB (ctiid.298781, id.298781, submit.512558) document the issue, while a GitHub repository (intercpt/XSS1/blob/main/Directorylisting.md) discloses the exploit publicly, noting it may be used by attackers. The project site at code-projects.org provides context on the affected software, but no specific patches or mitigations are detailed in available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Directory listing vulnerability in /upload/ exposes file and directory contents, directly enabling File and Directory Discovery (T1083) as noted in advisories.