CVE-2025-15110
Unrestricted File Upload in jackq XCMS Backend Component
Publication date: 2025-12-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jackq | xcms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Upload function of the ProductImageController in the backend component of jackq XCMS. It allows an attacker to manipulate the File argument to perform an unrestricted file upload. This means an attacker can upload arbitrary files remotely, potentially leading to unauthorized actions on the system.
How can this vulnerability impact me? :
The vulnerability can allow remote attackers to upload arbitrary files without restriction. This could lead to unauthorized code execution, data compromise, or system disruption, impacting the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of uploaded files in the backend upload directory that should not be there, such as PHP files uploaded via the vulnerable upload endpoint. One detection method is to look for files uploaded to the path /Public/uploads/product/ with suspicious extensions like .php. Additionally, Google dorking can be used to identify vulnerable targets by searching for the vulnerable file path. A practical approach is to monitor HTTP POST requests to the endpoint /qt-admin.php/ProductImage/upload.html and inspect multipart/form-data uploads for suspicious file types. Commands to detect suspicious files could include scanning the upload directory for PHP files, for example: `find /path/to/xcms/Public/uploads/product/ -type f -name '*.php'` or using web server logs to identify POST requests to the upload endpoint. Network IDS/IPS rules can be created to alert on HTTP POST requests containing multipart/form-data to /qt-admin.php/ProductImage/upload.html with file uploads having executable extensions. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable upload functionality, especially the endpoint /qt-admin.php/ProductImage/upload.html, to prevent unauthorized or authenticated attackers from uploading files. Since no official patches or mitigations are available due to the rolling release nature and lack of vendor response, consider replacing or removing the affected component or product. Implement strict validation on uploaded files, including checking file types, content, and extensions, to block executable files such as PHP scripts. Additionally, monitor and remove any suspicious uploaded files, and restrict file execution permissions in the upload directories to prevent execution of uploaded malicious files. Applying network-level controls such as web application firewalls (WAF) to block malicious upload attempts can also help mitigate risk. [1, 2]