Skip to main content

CVE-2025-7413: Unrestricted Upload in code-projects Library System

Medium
VulnerabilityCVE-2025-7413cvecve-2025-7413
Published: Thu Jul 10 2025 (07/10/2025, 20:02:05 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Library System

Description

A vulnerability classified as critical has been found in code-projects Library System 1.0. This affects an unknown part of the file /user/teacher/profile.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/10/2025, 20:31:22 UTC

Technical Analysis

CVE-2025-7413 is a vulnerability identified in version 1.0 of the code-projects Library System, specifically affecting the /user/teacher/profile.php file. The vulnerability arises from improper handling of the 'image' argument, which allows an attacker to perform an unrestricted file upload. This means that an attacker can remotely upload arbitrary files to the server without authentication or user interaction. The vulnerability is classified with a CVSS 4.0 base score of 5.3, indicating a medium severity level. The vector details show that the attack can be performed remotely (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) or user interaction (UI:N), and the impact on confidentiality, integrity, and availability is low (VC:L, VI:L, VA:L). The exploit has been publicly disclosed but there are no known exploits actively used in the wild at this time. The unrestricted upload flaw could allow an attacker to upload malicious scripts or executables, potentially leading to remote code execution, data compromise, or service disruption if the uploaded files are executed or accessed by the system. However, the impact is somewhat limited by the low impact scores and the requirement of low privileges, suggesting that some level of user authentication or access might be necessary to reach the vulnerable endpoint. The lack of available patches or mitigations at the time of publication increases the risk for affected systems if left unaddressed.

Potential Impact

For European organizations using the code-projects Library System 1.0, this vulnerability poses a moderate risk. The ability to upload arbitrary files remotely could lead to unauthorized access, data leakage, or service disruption, especially if attackers manage to upload web shells or malware. Educational institutions or libraries using this system could face reputational damage, regulatory penalties under GDPR if personal data is compromised, and operational downtime. The medium severity rating suggests that while the vulnerability is exploitable, the overall impact might be limited by existing access controls or system configurations. However, organizations with weak internal controls or exposed instances of the affected software are at higher risk. The public disclosure of the exploit increases the urgency for European entities to assess their exposure and implement mitigations promptly to prevent potential exploitation.

Mitigation Recommendations

1. Immediate assessment of all instances running code-projects Library System 1.0 to identify vulnerable endpoints, particularly /user/teacher/profile.php. 2. Implement strict input validation and file type restrictions on the 'image' upload parameter to prevent uploading of executable or script files. 3. Employ server-side controls such as disabling execution permissions in upload directories to mitigate the impact of any uploaded malicious files. 4. Restrict access to the upload functionality by enforcing strong authentication and authorization mechanisms, ensuring only trusted users can upload files. 5. Monitor logs for unusual upload activity or access patterns indicative of exploitation attempts. 6. If possible, isolate the affected system within a segmented network zone to limit lateral movement in case of compromise. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 8. Consider deploying web application firewalls (WAF) with custom rules to detect and block suspicious upload requests targeting this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-10T07:31:51.434Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68701f8ba83201eaaca99fe6

Added to database: 7/10/2025, 8:16:11 PM

Last enriched: 7/10/2025, 8:31:22 PM

Last updated: 7/11/2025, 7:58:35 AM

Views: 6

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats