CVE-2019-25758
Awaiting Analysis Awaiting Analysis - Queue

Unrestricted File Upload in Joomla vBizz Component

Vulnerability report for CVE-2019-25758, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

Joomla! Component vBizz 1.0.7 contains an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary PHP files by submitting malicious files through the profile_pic parameter. Attackers can upload PHP files via POST requests to the employee view endpoint and execute them from the uploads directory to achieve remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-10
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wdmtech vbizz 1.0.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability in Joomla! Component vBizz 1.0.7 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the employee view endpoint that include file uploads via the profile_pic parameter. Specifically, look for attempts to upload PHP files which should not normally be allowed.

Commands to detect potential exploitation attempts include searching web server logs for POST requests containing the profile_pic parameter or PHP file uploads.

  • Use grep or similar tools to search access logs for POST requests to the vulnerable endpoint, for example: grep 'POST' /var/log/apache2/access.log | grep 'profile_pic'
  • Search for uploaded PHP files in the uploads directory: find /path/to/uploads -name '*.php'
  • Monitor for execution of unexpected PHP files in the uploads directory by checking web server error logs or access logs.
Executive Summary

The Joomla! Component vBizz version 1.0.7 contains an unrestricted file upload vulnerability. This flaw allows authenticated attackers to upload arbitrary PHP files by exploiting the profile_pic parameter. Attackers can send malicious files via POST requests to the employee view endpoint and then execute these uploaded PHP files from the uploads directory. This leads to remote code execution on the affected server.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary code remotely on the affected server. By uploading and running malicious PHP files, attackers can potentially take full control of the server, access sensitive data, modify or delete information, disrupt services, or use the compromised server as a pivot point for further attacks.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling file uploads through the profile_pic parameter, especially blocking uploads of executable PHP files.

Ensure that only authenticated and authorized users can upload files, and implement strict validation and sanitization of uploaded files to prevent uploading of malicious scripts.

If possible, apply any available patches or updates from the vendor that address this vulnerability.

As a temporary measure, restrict execution permissions in the uploads directory to prevent execution of uploaded PHP files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart