CVE-2025-54962
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-08-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openplc | openplc_runtime | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenPLC Runtime's webserver allows authenticated users to upload arbitrary files (like .html or .svg) via the /edit-user route. These files are stored in a publicly accessible /static/ directory with predictable filenames. Because there is insufficient validation of MIME types and file extensions, attackers can upload malicious content that can execute stored Cross-Site Scripting (XSS) attacks or facilitate Cross-Site Request Forgery (CSRF) attacks when other users access these files. [1]
How can this vulnerability impact me? :
The vulnerability can lead to execution of malicious scripts in users' browsers, potentially compromising user sessions or data. Attackers can host malicious content that triggers XSS or CSRF attacks, which may result in unauthorized actions being performed on behalf of users, data theft, or other security breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /edit-user endpoint allows authenticated users to upload arbitrary files such as .html or .svg, which then become publicly accessible under the /static URI. You can verify this by authenticating to the OpenPLC Runtime webserver and attempting to upload a test file (e.g., a simple .html file) via the /edit-user route. After uploading, check if the file is accessible publicly at a predictable URL like http://<server>:<port>/static/<filename>.html. Additionally, monitoring HTTP traffic for POST requests to /edit-user and subsequent GET requests to /static/ can help detect exploitation attempts. Specific commands depend on your environment, but for example, using curl to upload and then access the file could be: 1) curl -X POST -F "[email protected]" -b cookies.txt http://<server>:<port>/edit-user 2) curl http://<server>:<port>/static/test.html [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability for authenticated users to upload arbitrary files via the /edit-user endpoint, especially files with potentially dangerous extensions like .html or .svg. Implement strict server-side validation of uploaded file types and MIME types to allow only safe file formats (e.g., images like .jpg or .png). Additionally, configure the webserver to prevent execution of uploaded files in the /static directory, such as disabling script execution or serving these files with safe content headers. If possible, apply access controls to the /static directory to restrict public access. Monitoring and alerting on suspicious uploads and accesses can also help mitigate exploitation. [1]