CVE-2025-13238 identifies an unrestricted file upload vulnerability in Bdtask Flight Booking Software version 4, specifically in the /agent/profile/edit endpoint of the Edit Profile Page component. This flaw allows attackers to remotely upload arbitrary files without authentication or user interaction, bypassing any file type or content restrictions. The vulnerability arises from insufficient input validation and lack of proper access controls on the file upload functionality, enabling attackers to place malicious files such as web shells or scripts on the server. Once uploaded, these files can be executed to gain unauthorized access, escalate privileges, or disrupt the system. The vendor was notified early but has not responded or provided patches, and public exploit code is available, increasing the likelihood of exploitation. The CVSS 4.0 base score is 5.3, reflecting medium severity due to the ease of attack and partial impact on confidentiality, integrity, and availability. No authentication or user interaction is required, and the attack vector is network-based, making it accessible to remote attackers. The lack of vendor response and patch availability heightens the risk for organizations relying on this software for flight booking and related operations.

For European organizations using Bdtask Flight Booking Software, this vulnerability poses significant risks. Attackers can upload malicious files to compromise backend systems, potentially leading to unauthorized access to sensitive customer data, including personal and payment information. This can result in data breaches, regulatory fines under GDPR, and reputational damage. Additionally, attackers may execute arbitrary code to disrupt booking services, causing downtime and operational losses. The vulnerability's remote, unauthenticated nature increases the attack surface, making it easier for cybercriminals to exploit without insider access. Given the critical role of flight booking systems in travel and logistics, exploitation could also impact supply chains and customer trust. The absence of vendor patches means organizations must rely on internal mitigations, increasing operational burden and risk exposure.

To mitigate CVE-2025-13238, organizations should immediately implement strict server-side validation of all uploaded files, enforcing allowed file types, sizes, and content inspection to block malicious payloads. Employing a whitelist approach for file extensions and MIME types is critical. Deploy web application firewalls (WAFs) configured to detect and block suspicious upload attempts and known exploit signatures. Isolate the upload directory with minimal permissions and disable execution rights to prevent uploaded files from running as code. Regularly monitor logs for unusual upload activity and conduct penetration testing to identify residual weaknesses. If possible, restrict access to the /agent/profile/edit endpoint via network segmentation or IP whitelisting. Organizations should also consider migrating to alternative, actively supported flight booking software or applying custom patches if vendor support remains unavailable. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.