CVE-2025-10755
BaseFortify
Publication date: 2025-09-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| selleo | mentingo | 2025.08.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10755 is a critical vulnerability in Selleo Mentingo 2025.08.27 that allows attackers to bypass file upload restrictions by manipulating the HTTP Content-Type headers during the upload of user avatars or course images. The application relies solely on client-supplied MIME type validation without any server-side checks, enabling attackers with minimal skills and a standard student account to upload arbitrary and potentially dangerous files. This flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and can be exploited remotely. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to host malware on legitimate Mentingo domains, which are often trusted and whitelisted by corporate firewalls. This can facilitate social engineering attacks, phishing campaigns, and persistent threat hosting. A compromised Mentingo instance can affect multiple educational organizations, turning the platform into a command and control infrastructure for threat actors, thereby compromising confidentiality, integrity, and availability of the system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP upload requests to the Mentingo application, specifically looking for manipulation of the Content-Type HTTP header during file uploads to the userAvatar or course image upload endpoints. Detection involves inspecting HTTP traffic for unusual or suspicious MIME types that do not match expected image formats, as the application relies solely on client-supplied MIME type validation without server-side verification. Commands to detect this could include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP POST requests to the upload endpoints, and grep or similar tools to filter for Content-Type headers with unexpected values. For example, using tcpdump: tcpdump -i <interface> -A -s 0 'tcp port 80 or 443' | grep -i 'Content-Type' and reviewing uploads for suspicious MIME types. Additionally, web server logs can be searched for POST requests to the upload URLs with unusual Content-Type headers. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the file upload functionality for user avatars and course images in the Mentingo application until a patch or fix is available. Since no vendor response or official mitigation is provided, consider implementing network-level controls such as blocking or filtering HTTP requests with suspicious Content-Type headers or unexpected file types. Additionally, monitor and restrict user privileges to limit the ability to upload files, and consider replacing the affected product if possible. Employ enhanced monitoring for any signs of exploitation and isolate compromised instances to prevent lateral impact across educational organizations. [2]