CRITICAL🇵🇱 Wersja polska

CVE-2025-29709

CVSS 9.8v3.1pub. 2025-04-16upd. 2025-04-23

SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio.

🤖 AI Analysis
How it works

The vulnerability (CWE-73 — External Control of File Name or Path) occurs in the /dashboard/portfolio file, which handles the portfolio creation function. Lack of proper validation of uploaded files allows an attacker to place a file with any extension (e.g., a malicious PHP script) on the server. After uploading such a file, the attacker can directly access its location and trigger server-side code execution.

Impact

An attacker can gain full control of the server through remote code execution (RCE), as well as gain unauthorized access to data, modify website content, or take control of the operating system.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to implement restrictive validation of file types and extensions on the server side, store uploaded files outside the webroot directory, and configure the server to prevent script execution in directories designated for user files.

Who is affected

SourceCodester Company Website CMS version 1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Torrahclef Company Website Cms

    APP
    Torrahclef
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-29708CRITICAL9.8PL ✓ten sam produkt

Podatność file upload w SourceCodester Company Website CMS 1.0

CVE-2025-13560MEDIUM5.5ten sam produkt

A vulnerability was found in SourceCodester Company Website CMS 1.0. This affects an unknown part of the file ...

CVE-2025-13561MEDIUM5.5ten sam produkt

A vulnerability was determined in SourceCodester Company Website CMS 1.0. This vulnerability affects unknown c...

CVE-2025-29710MEDIUM6.1ten sam produkt

SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services.