CVE-2025-8547
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-09-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pybbs_project | pybbs | to 6.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8547 is a critical improper authorization vulnerability in the atjiu pybbs software (up to version 6.0.0) affecting the Email Verification Handler. The system does not enforce immediate email verification during user registration; instead, verification is deferred until the user attempts to upload an avatar. This flaw allows attackers to register multiple accounts using arbitrary email addresses without restriction, effectively impersonating email owners and bypassing proper authorization controls. The vulnerability can be exploited remotely without authentication, impacting the integrity of the system. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to create multiple unauthorized accounts by bypassing email verification, which can lead to impersonation of arbitrary email owners and bulk account creation. This can undermine the integrity and trustworthiness of the system, potentially enabling further malicious activities such as spam, fraud, or abuse of system resources. Since the exploit is publicly available and can be executed remotely without authentication, the risk of exploitation is significant if the patch is not applied. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or bulk account registrations that bypass email verification, especially focusing on the registration API behavior. Since the exploit involves improper authorization in the Email Verification Handler allowing remote attacks without authentication, network detection could include inspecting API calls to the registration endpoint for missing or invalid email verification codes. Additionally, monitoring for unusual spikes in email verification code requests or registrations without corresponding email verification can indicate exploitation attempts. Specific commands are not provided in the resources, but general approaches include analyzing web server logs for registration requests lacking proper emailCode parameters or using intrusion detection systems to flag suspicious registration patterns. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit 044f22893bee254dc2bb0d30f614913fab3c22c2, which enforces immediate email verification during user registration. This patch introduces a configuration parameter to require email activation, validates email verification codes during registration, and adds rate limiting on sending verification codes to prevent abuse. Applying this patch will prevent unauthorized account creation without proper email verification and mitigate the risk of impersonation and bulk registrations. Users are strongly advised to update to the fixed version or apply the patch as soon as possible. [1, 4]