CVE-2025-9841
BaseFortify
Publication date: 2025-09-03
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | mobile_shop_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Mobile Shop Management System 1.0, specifically in the AddNewProduct.php file. It allows an attacker to perform unrestricted file uploads by manipulating the ProductImage argument. Because the system does not properly validate or restrict the uploaded files, an attacker can upload malicious files such as web shells, which can then be executed on the server. This can be done remotely without authentication, making the attack straightforward and accessible. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to full server compromise, allowing attackers to execute arbitrary code remotely. This can result in data theft, tampering with content, service disruption, and breaches of privacy. The attacker can gain control over the server by uploading and executing malicious files such as web shells. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable endpoint AddNewProduct.php on your system or network, for example using Google Dorking with the query inurl:AddNewProduct.php. Additionally, monitoring for suspicious file uploads, especially files with executable extensions like .php in the upload directories (e.g., assets/img/Product_Uploaded/) can help detect exploitation attempts. Using tools like Burp Suite to intercept and analyze file upload requests can also reveal attempts to upload malicious files such as webshells. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting allowed file types strictly to safe image formats and excluding executable scripts; enforcing maximum file size limits; filtering special characters in filenames and renaming files randomly to prevent path traversal and overwriting; configuring the upload directory with non-executable permissions to block execution of uploaded files; and logging upload activities including file names, timestamps, and uploader IPs for monitoring and auditing. Since no vendor patch is currently available, replacing the affected software with an alternative product is recommended. [1, 2]