CVE-2025-25997

HighPublic PoC

Published: 14 February 2025

Published

14 February 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0213 84.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Directory Traversal vulnerability in FeMiner wms v.1.0 allows a remote attacker to obtain sensitive information via the databak.php component.

Security Summary

CVE-2025-25997 is a Directory Traversal vulnerability (CWE-22) in FeMiner wms version 1.0. The flaw exists in the databak.php component, which allows a remote attacker to obtain sensitive information by traversing directories outside the intended path.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity, no privileges, no user interaction, and unchanged scope. A remote, unauthenticated attacker can leverage this to disclose sensitive information, resulting in high confidentiality impact while leaving integrity and availability unaffected.

Mitigation details are available in the referenced GitHub issue at https://github.com/FeMiner/wms/issues/22.

Details

CWE(s): CWE-22

Affected Products

feminer wms project

feminer wms

1.0

References

https://github.com/FeMiner/wms/issues/22
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org