Skip to main content

CVE-2025-5380: Path Traversal in ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统

Medium
VulnerabilityCVE-2025-5380cvecve-2025-5380
Published: Sat May 31 2025 (05/31/2025, 14:00:13 UTC)
Source: CVE Database V5
Vendor/Project: ashinigit 天青一白
Product: XueShengZhuSu 学生住宿管理系统

Description

A vulnerability, which was classified as critical, has been found in ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统 up to 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb. This issue affects some unknown processing of the file /upload/ of the component Image File Upload. The manipulation of the argument File leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

AI-Powered Analysis

AILast updated: 07/09/2025, 00:54:30 UTC

Technical Analysis

CVE-2025-5380 is a path traversal vulnerability identified in the ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统, a student accommodation management system. The vulnerability affects the component responsible for image file uploads, specifically the /upload/ endpoint. By manipulating the 'File' argument, an attacker can traverse directories on the server, potentially accessing files outside the intended upload directory. This can lead to unauthorized disclosure of sensitive files or system information. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The product uses a rolling release model, so specific version numbers for affected or patched releases are not clearly defined beyond the commit hash 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. No public exploits are currently known in the wild, but the vulnerability details have been disclosed publicly, which may facilitate exploitation attempts.

Potential Impact

For European organizations using the XueShengZhuSu 学生住宿管理系统, this vulnerability poses a risk of unauthorized access to sensitive files on the server hosting the application. Given the system manages student accommodation data, exposure of personal data, administrative documents, or configuration files could lead to privacy breaches and compliance violations under GDPR. Attackers exploiting this flaw could gain insights into system internals, potentially enabling further attacks such as privilege escalation or data manipulation. Although the immediate impact on system integrity and availability is limited, the confidentiality breach alone is significant for institutions handling personal and academic data. The remote and unauthenticated nature of the exploit increases the urgency for mitigation, especially in environments with internet-facing upload endpoints.

Mitigation Recommendations

Organizations should implement strict input validation and sanitization on the file upload parameters to prevent directory traversal sequences (e.g., ../). Employing allowlists for file names and extensions, and restricting upload directories with proper filesystem permissions can reduce risk. Using secure coding practices such as canonicalization of file paths before processing uploads is critical. Network-level controls like web application firewalls (WAFs) can be configured to detect and block path traversal patterns. Since the product uses rolling releases, organizations should monitor vendor updates closely and apply patches promptly once available. In the interim, restricting access to the upload endpoint via network segmentation or authentication can reduce exposure. Regular security audits and penetration testing focusing on file upload functionalities are recommended to detect similar vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-30T12:21:46.072Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683b0e91182aa0cae2e5002c

Added to database: 5/31/2025, 2:13:37 PM

Last enriched: 7/9/2025, 12:54:30 AM

Last updated: 7/30/2025, 4:11:32 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats