CVE-2025-8519
BaseFortify
Publication date: 2025-08-04
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8519 is an information disclosure vulnerability in the givanz Vvveb Drag-and-Drop Editor up to version 1.0.5. It occurs in the file /vadmin123/index.php?module=editor/editor, where manipulating the 'url' parameter allows an attacker with enhanced authentication (such as an editor or user with 'Edit website' access) to read arbitrary files from the server directory /var/www/html/public/admin/default. This can expose configuration files, HTML error pages, and legacy files, potentially revealing sensitive or outdated information. The vulnerability can be exploited remotely and has a low severity rating. It is fixed by upgrading to version 1.0.6. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with editor-level authentication to read files on your server that they should not have access to. This unauthorized file reading can lead to exposure of sensitive or configuration information, which could be used to further compromise your system or understand its setup. Although the severity is considered low because no highly sensitive files were found accessible during testing, the exposure of legacy or configuration files still poses a risk to confidentiality. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the endpoint `/vadmin123/index.php?module=editor/editor` with the `url` parameter manipulated to access internal files. For example, an authenticated user with editor privileges can attempt to read files by sending HTTP requests with URLs like `/vadmin123/index.php?module=editor/editor&url=index.html` or `/vadmin123/index.php?module=editor/editor&url=package.json`. Using tools like curl or wget, you can run commands such as: curl -i -b cookie.txt 'http://target/vadmin123/index.php?module=editor/editor&url=index.html' curl -i -b cookie.txt 'http://target/vadmin123/index.php?module=editor/editor&url=package.json' where `cookie.txt` contains authentication cookies for an editor user. Successful retrieval of internal files indicates the presence of the vulnerability. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected Vvveb Drag-and-Drop Editor component to version 1.0.6, which contains the patch identified by commit `f684f3e374d04db715730fc4796e102f5ebcacb2`. This upgrade addresses the vulnerability by fixing the improper handling of the `url` parameter. Until the upgrade can be applied, restrict editor or website editing privileges to trusted users only and monitor access to the vulnerable endpoint to detect any suspicious activity. [1]