CVE-2025-10425
BaseFortify
Publication date: 2025-09-15
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1000projects | online_student_project_report_submission_and_evaluation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized system access, execution of arbitrary malicious code on the server, data manipulation or theft, malware deployment, and potential denial of service. Because exploitation requires no authentication, attackers can easily compromise the system's confidentiality, integrity, and availability, leading to service disruption and loss of sensitive information. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized file uploads to the vulnerable endpoint `/admin/controller/student_controller.php` or `/rse/admin/controller/student_controller.php`. Detection can involve checking web server logs for POST requests with multipart/form-data content targeting this path, especially those containing suspicious file types like PHP scripts. Using tools like curl to test the upload functionality with a crafted payload (e.g., a PHP script) can confirm the vulnerability. For example, a command to test might be: curl -X POST -F "[email protected]" http://target-site/admin/controller/student_controller.php Additionally, scanning for the presence of uploaded malicious files on the server or searching for files with suspicious extensions in upload directories can help detect exploitation attempts. [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Implement strict file type verification by checking MIME types, enforcing file extension whitelists (e.g., only allowing image formats like .jpg, .png), and inspecting file content to prevent malicious uploads. 2. Enforce file size limits to prevent resource exhaustion or abuse. 3. Store uploaded files outside the web root directory to prevent direct web access and execution; serve files through controlled scripts if needed. 4. Rename uploaded files with unique, random names to avoid path traversal attacks and ensure file uniqueness. 5. Conduct regular security audits of the file upload functionality and related code to identify and fix vulnerabilities promptly. If immediate code fixes are not possible, consider disabling the upload functionality temporarily or restricting access to the vulnerable endpoint until a patch is applied. [1, 2, 3]
Can you explain this vulnerability to me?
CVE-2025-10425 is a critical unrestricted file upload vulnerability in the Online Student Project Report Submission and Evaluation System 1.0, specifically in the file /admin/controller/student_controller.php. The vulnerability arises because the system does not properly validate or restrict the file upload parameter 'new_image', allowing attackers to upload arbitrary files, including malicious scripts like PHP, JSP, or ASP. This can be done remotely without any authentication. Once uploaded, these malicious files can be executed on the server, enabling attackers to gain unauthorized access, execute arbitrary code, manipulate or steal sensitive data, spread malware, and disrupt services. [1, 2, 3, 4]