CVE-2025-2952

CVE-2025-2952 is a critical vulnerability in Bluestar Micro Mall 1.0 that enables unrestricted file upload. The issue affects an unknown functionality within the file /api/api.php?mod=upload&type=1, where manipulation of the "File" argument allows attackers to upload files without restrictions. Classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-30.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L) over the network with low complexity and no user interaction required. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing upload of malicious files that could lead to further compromise depending on server configuration. The exploit has been publicly disclosed and may be actively used.

Advisories and additional details are available from VulDB (https://vuldb.com/?ctiid.302005 and https://vuldb.com/?id.302005) and a Jianshu article (https://www.jianshu.com/p/22d3ae38e628?v=1742101731758). Practitioners should consult these sources for mitigation guidance, as no specific patches are detailed in the core CVE information.