CRITICAL🇵🇱 Wersja polska

CVE-2025-29708

CVSS 9.8v3.1pub. 2025-04-16upd. 2025-04-23

SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-73 (External Control of File Name or Path) occurs in the services management module available at the /dashboard/Services path. An attacker can upload a malicious file (e.g., PHP webshell) without requiring authentication, login, or user interaction. The attack vector is network-based with low complexity, making exploitation trivial.

Impact

Successful exploitation allows an attacker to execute arbitrary code remotely on the server (RCE), which may lead to complete system takeover, data theft, modification of website content, or its destruction.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the fix is implemented, it is recommended to disable or restrict access to the /dashboard/Services module and implement server-side validation for uploaded files (whitelist of allowed types and extensions).

Who is affected

SourceCodester Company Website CMS version 1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Torrahclef Company Website Cms

    APP
    Torrahclef
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-29709CRITICAL9.8PL ✓ten sam produkt

Podatność File Upload w SourceCodester Company Website CMS 1.0

CVE-2025-13560MEDIUM5.5ten sam produkt

A vulnerability was found in SourceCodester Company Website CMS 1.0. This affects an unknown part of the file ...

CVE-2025-13561MEDIUM5.5ten sam produkt

A vulnerability was determined in SourceCodester Company Website CMS 1.0. This vulnerability affects unknown c...

CVE-2025-29710MEDIUM6.1ten sam produkt

SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services.