CVE-2025-67325
Unrestricted File Upload in QloApps Enables Remote Code Execution
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qloapps | qloapps | to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unrestricted file upload flaw in the hotel review feature of QloApps versions 1.7.0 and earlier. It allows remote unauthenticated attackers to upload malicious files, such as a PHP web shell, without any file extension validation or authentication. Once uploaded, these files can be executed by the server, enabling attackers to run arbitrary operating system commands remotely. [2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to remote code execution on the hosting server, allowing attackers to read, write, or delete sensitive files, access database credentials, pivot to internal network services, and fully compromise the server. This results in a complete loss of confidentiality, integrity, and availability of the affected system. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of uploaded PHP files in the hotel review upload directories, specifically under paths like /modules/qlohotelreview/views/img/review/<id_order>/1.php. You can scan your web server directories for unexpected PHP files in these locations. Additionally, monitoring HTTP requests to the endpoint /module/qlohotelreview/default for suspicious file upload activity or unusual POST requests can help detect exploitation attempts. Commands to detect such files might include: 1) Using find command on the server to locate PHP files in the review upload directory, e.g., `find /path/to/qloapps/modules/qlohotelreview/views/img/review/ -name '*.php'` 2) Using web server logs to grep for POST requests to /module/qlohotelreview/default, e.g., `grep '/module/qlohotelreview/default' /var/log/apache2/access.log` or equivalent. 3) Checking for unusual files or web shells by listing files in the upload directories. These steps help identify if malicious files have been uploaded and accessed. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict or disable the file upload functionality in the hotel review feature until a patch or update is applied. 2) Implement server-side validation to restrict allowed file types and prevent uploading executable files such as PHP scripts. 3) Remove any suspicious or unknown PHP files found in the review upload directories. 4) Apply access controls to prevent direct execution of uploaded files, such as disabling execution permissions in the upload directories via web server configuration (e.g., using .htaccess to deny PHP execution). 5) Update QloApps to a version later than 1.7.0 once a patch is released. 6) Monitor logs for suspicious activity related to the vulnerable endpoint. These steps help prevent exploitation and limit damage from existing compromises. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to a complete loss of confidentiality, integrity, and availability of the hosting server, which can result in unauthorized access to sensitive data. Such a compromise can negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, specific impacts on compliance are not detailed in the provided resources. [2]