CVE-2025-25224
Published: 18 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-25224 is a missing authentication vulnerability (CWE-306) affecting the dloader.php component in LuxCal Web Calendar prior to version 5.3.3M for MySQL deployments and prior to 5.3.3L for SQLite deployments. Published on 2025-02-18, this flaw enables exploitation to obtain arbitrary files from the server. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to significant confidentiality impact.
Unauthenticated attackers with network access can exploit this vulnerability remotely with low attack complexity and no user interaction required. By interacting with the dloader.php endpoint, they can retrieve arbitrary files from the server filesystem, potentially exposing sensitive data such as configuration files, user credentials, or other server contents without needing privileges.
Advisories including JVN#26024080 (https://jvn.jp/en/jp/JVN26024080/) provide details on the issue, while the vendor's download page (https://www.luxsoft.eu/?download) offers patched versions 5.3.3M and 5.3.3L. A related forum discussion (https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984) further addresses the vulnerability, with mitigation centered on upgrading to the fixed releases.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication in public-facing dloader.php enables remote exploitation of the web app (T1190) for direct retrieval of arbitrary local filesystem files (T1005).