CVE-2025-5906
BaseFortify
Publication date: 2025-06-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | laundry_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5906 is a critical improper authentication vulnerability in code-projects Laundry System version 1.0. The issue affects sensitive endpoints under the /data/ directory, which do not enforce authentication checks. Attackers can bypass login requirements by manipulating URL paths or parameters, allowing them to access privileged functionalities and sensitive data without valid credentials. This flaw enables unauthorized access to the system remotely, potentially leading to full system compromise. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data and privileged functionalities within the Laundry System. Attackers can exfiltrate data, modify system configurations, escalate privileges, and perform unauthorized administrative operations. The confidentiality, integrity, and availability of the system are all at risk, potentially resulting in complete system compromise without requiring any authentication. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing access to sensitive endpoints under the /data/ directory without authentication. For example, you can use curl commands to send requests to these endpoints and check if they respond without requiring authentication tokens. Example commands include: 1. GET request to retrieve data without authentication: curl -v http://<target-ip>/data/all_types.php 2. POST request to insert data without authentication: curl -v -X POST http://<target-ip>/data/insert_laundry.php -d "customer=123&priority=456&weight=789&type=4" -H "Content-Type: application/x-www-form-urlencoded" If these requests succeed without authentication, the system is vulnerable. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing proper role-based access controls and session validation on all sensitive endpoints under the /data/ directory to prevent unauthorized access. This involves implementing authentication checks on every endpoint that currently lacks them, ensuring that only authorized users can access or modify data. Since no known countermeasures or patches are available, consider restricting network access to these endpoints and replacing the affected product with a secure alternative if possible. [1, 2, 3]