CVE-2025-60078 is a Local File Inclusion (LFI) vulnerability found in the PHP-based Task Manager software developed by Agence web Eoxia - Montpellier. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the local filesystem. This can lead to disclosure of sensitive information such as configuration files, source code, or credentials stored on the server. In some cases, LFI can be leveraged to achieve remote code execution, especially if the attacker can upload files or exploit other chained vulnerabilities. The affected versions include all releases up to 3.0.2. No public exploits are currently known, but the vulnerability is publicly disclosed and assigned CVE-2025-60078. The lack of a CVSS score indicates that detailed impact assessment is pending, but the nature of LFI vulnerabilities typically poses a significant risk. The vulnerability affects the confidentiality and integrity of the system by exposing internal files and potentially allowing unauthorized code execution. The vulnerability is particularly relevant for organizations using this Task Manager software for project or task management, especially those hosting it on web servers accessible from the internet. Since the vendor is based in Montpellier, France, European organizations in France and neighboring countries are likely users and thus at risk. The vulnerability requires no authentication or user interaction, increasing its exploitability. The absence of patches at the time of disclosure necessitates immediate mitigation through configuration hardening and input validation.

The primary impact of CVE-2025-60078 is the potential exposure of sensitive internal files, which can include configuration files, credentials, or proprietary source code, compromising confidentiality. If attackers can chain this vulnerability with file upload or other weaknesses, they may achieve remote code execution, severely impacting system integrity and availability. For European organizations, especially those in sectors relying on the Task Manager software for operational workflows, this could lead to data breaches, operational disruption, and reputational damage. The vulnerability's ease of exploitation without authentication increases the risk of widespread attacks. Organizations with internet-facing installations are particularly vulnerable. The impact is heightened in regulated industries subject to strict data protection laws such as GDPR, where unauthorized data exposure can lead to significant fines and legal consequences. Additionally, the lack of an available patch at disclosure time means organizations must rely on interim mitigations, increasing the window of exposure.

1. Immediately restrict access to the Task Manager application to trusted networks or VPNs to reduce exposure. 2. Implement strict input validation and sanitization on all parameters used in include or require statements to prevent manipulation. 3. Configure PHP settings to disable allow_url_include and limit include paths using open_basedir to prevent inclusion of unauthorized files. 4. Monitor web server logs for suspicious requests attempting to exploit file inclusion. 5. Employ Web Application Firewalls (WAFs) with rules targeting LFI attack patterns to block malicious requests. 6. Regularly back up application and server data to enable recovery in case of compromise. 7. Engage with the vendor for timely patch releases and apply updates as soon as they become available. 8. Conduct code audits and penetration testing focused on file inclusion and input validation vulnerabilities. 9. Educate development and operations teams about secure coding practices related to file handling in PHP. 10. Consider isolating the application in a container or sandbox environment to limit potential damage from exploitation.