CRITICAL🇵🇱 Wersja polska

CVE-2025-29401

CVSS 9.8v3.1pub. 2025-03-19upd. 2025-06-16

An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.

🤖 AI Analysis
How it works

The /views/plugin.php component does not properly validate the type or content of uploaded files. An attacker can upload a crafted PHP file (such as a webshell or payload) which will be saved on the server. After upload, the file can be executed via a browser or other HTTP request, resulting in arbitrary code execution on the server side.

Impact

An attacker can gain full control over the server — read, modify or delete data, as well as execute arbitrary system commands (RCE). This can lead to a complete breach of the system's confidentiality, integrity, and availability.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until updates are deployed, it is recommended to restrict access to the /views/plugin.php component at the firewall or web server level and monitor uploaded files for suspicious extensions.

Who is affected

Emlog Pro version 2.5.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Emlog

    APP
    Emlog
    2.5.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-22799CRITICAL9.3PL ✓ten sam produkt

Emlog: nieautoryzowany upload pliku PHP przez REST API — RCE

CVE-2025-61318CRITICAL9.1PL ✓ten sam produkt

Emlog Pro – arbitralne usuwanie plików przez path traversal

CVE-2025-25783CRITICAL9.8PL ✓ten sam produkt

Emlog Pro – dowolne przesyłanie plików umożliwiające RCE (admin/plugin.php)

CVE-2023-44974CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers...

CVE-2023-44973CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attacke...