CVE-2025-15110
Unknown Unknown - Not Provided
Unrestricted File Upload in jackq XCMS Backend Component

Publication date: 2025-12-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jackq xcms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Upload function of the ProductImageController in the backend component of jackq XCMS. It allows an attacker to manipulate the File argument to perform an unrestricted file upload. This means an attacker can upload arbitrary files remotely, potentially leading to unauthorized actions on the system.

Impact Analysis

The vulnerability can allow remote attackers to upload arbitrary files without restriction. This could lead to unauthorized code execution, data compromise, or system disruption, impacting the confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded files in the backend upload directory that should not be there, such as PHP files uploaded via the vulnerable upload endpoint. One detection method is to look for files uploaded to the path /Public/uploads/product/ with suspicious extensions like .php. Additionally, Google dorking can be used to identify vulnerable targets by searching for the vulnerable file path. A practical approach is to monitor HTTP POST requests to the endpoint /qt-admin.php/ProductImage/upload.html and inspect multipart/form-data uploads for suspicious file types. Commands to detect suspicious files could include scanning the upload directory for PHP files, for example: `find /path/to/xcms/Public/uploads/product/ -type f -name '*.php'` or using web server logs to identify POST requests to the upload endpoint. Network IDS/IPS rules can be created to alert on HTTP POST requests containing multipart/form-data to /qt-admin.php/ProductImage/upload.html with file uploads having executable extensions. [1, 2]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable upload functionality, especially the endpoint /qt-admin.php/ProductImage/upload.html, to prevent unauthorized or authenticated attackers from uploading files. Since no official patches or mitigations are available due to the rolling release nature and lack of vendor response, consider replacing or removing the affected component or product. Implement strict validation on uploaded files, including checking file types, content, and extensions, to block executable files such as PHP scripts. Additionally, monitor and remove any suspicious uploaded files, and restrict file execution permissions in the upload directories to prevent execution of uploaded malicious files. Applying network-level controls such as web application firewalls (WAF) to block malicious upload attempts can also help mitigate risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15110. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart