Skip to main content

CVE-2025-5108: Unrestricted Upload in zongzhige ShopXO

Medium
VulnerabilityCVE-2025-5108cvecve-2025-5108
Published: Fri May 23 2025 (05/23/2025, 12:31:05 UTC)
Source: CVE
Vendor/Project: zongzhige
Product: ShopXO

Description

A vulnerability was found in zongzhige ShopXO 6.5.0. It has been rated as critical. This issue affects the function Upload of the file app/admin/controller/Payment.php of the component ZIP File Handler. The manipulation of the argument params leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI-Powered Analysis

AILast updated: 07/08/2025, 20:12:02 UTC

Technical Analysis

CVE-2025-5108 is a vulnerability identified in version 6.5.0 of the zongzhige ShopXO e-commerce platform. The flaw resides in the Upload function within the app/admin/controller/Payment.php file, specifically in the ZIP File Handler component. The vulnerability allows an attacker to manipulate the 'params' argument to perform an unrestricted file upload. This means that an attacker can upload arbitrary files, potentially including malicious scripts or executables, without proper validation or restrictions. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing the risk of exploitation. Although the vendor was notified early, there has been no response or patch released at the time of disclosure. The CVSS 4.0 base score is 5.3, indicating a medium severity level, reflecting the moderate impact on confidentiality, integrity, and availability, and the requirement of low privileges (PR:L) for exploitation. The vulnerability does not require user interaction and can be initiated over the network, but the impact on the system is limited to low confidentiality, integrity, and availability impacts, which suggests that while the attack vector is accessible, the potential damage may be somewhat constrained by the application context or existing controls. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of active exploitation.

Potential Impact

For European organizations using ShopXO 6.5.0, this vulnerability poses a risk of unauthorized file uploads that could lead to remote code execution, data tampering, or service disruption. Attackers could upload web shells or malicious payloads, compromising the confidentiality and integrity of sensitive customer and payment data, and potentially disrupting e-commerce operations. Given that ShopXO is an e-commerce platform, the impact could extend to financial fraud, theft of personal data protected under GDPR, and reputational damage. The lack of vendor response and patch availability increases the urgency for organizations to implement mitigations. The medium severity rating suggests that while the vulnerability is exploitable, the overall impact might be mitigated by existing security controls or the specific deployment environment. However, the ability to upload files without restriction remains a critical security concern, especially in environments where ShopXO is integrated with payment processing and customer data management.

Mitigation Recommendations

European organizations should immediately audit their ShopXO installations to identify if version 6.5.0 is in use. In the absence of an official patch, organizations should implement strict web application firewall (WAF) rules to detect and block suspicious file uploads, especially those targeting the Payment.php upload function. Restricting file types accepted by the upload functionality and enforcing server-side validation can reduce the risk. Additionally, isolating the ShopXO application in a segmented network zone with limited privileges can contain potential exploitation impact. Monitoring logs for unusual upload activity and deploying intrusion detection systems (IDS) tuned for web shell signatures is recommended. Organizations should also consider disabling or restricting the upload feature temporarily if feasible until a vendor patch is released. Regular backups and incident response plans should be updated to address potential exploitation scenarios. Finally, organizations should engage with the vendor or community for updates and consider alternative e-commerce platforms if the vendor remains unresponsive.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-23T06:28:34.598Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68306f8e0acd01a249272493

Added to database: 5/23/2025, 12:52:30 PM

Last enriched: 7/8/2025, 8:12:02 PM

Last updated: 8/13/2025, 3:12:59 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats