CVE-2025-52921
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-23

Last updated on: 2025-06-23

Assigner: MITRE

Description
In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-23
Last Modified
2025-06-23
Generated
2026-05-07
AI Q&A
2025-06-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52921
EUVD
EUVD-2025-18868
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-420 The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Innoshop through version 0.4.1 allows an authenticated attacker to exploit the File Manager functions in the admin panel to execute code on the server. The attacker uploads a crafted file that initially passes the image file check, then uses the Rename Function to change the file extension to .php, bypassing frontend restrictions. Once renamed, the attacker can trigger the execution of the uploaded PHP code via a GET request, leading to remote code execution on the server.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including allowing an authenticated attacker to execute arbitrary code on the server, potentially leading to full server compromise. This can result in unauthorized access to sensitive data, modification or deletion of files, disruption of services, and further attacks within the network.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious file uploads followed by rename operations to .php extensions in the admin panel's file manager. Since the application relies on frontend checks that can be bypassed with proxy tools (e.g., BurpSuite), intercepting and analyzing HTTP requests to the Rename Function API endpoint for attempts to change file extensions to .php can indicate exploitation attempts. Additionally, checking server directories for unexpected .php files uploaded via the file manager can help detect exploitation. Specific commands are not provided in the resources.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the admin panel to trusted users only, monitoring and blocking suspicious file uploads and rename requests that attempt to change file extensions to .php, and disabling or limiting the file manager functionality if possible. Since no official fixes or mitigations have been released as of June 22, 2025, applying strict server-side validation and sanitization of file and directory paths in the file manager API is recommended once a patch is available. Using a web application firewall (WAF) to detect and block malicious requests may also help reduce risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart