CVE-2025-9397

A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the file /system/traits/media.php. Executing manipulation of the argument files[] can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Applying a patch is advised to resolve this issue. The code maintainer explains, that "[he] fixed the code to remove this vulnerability and will make a new release".

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/August829/Yu/blob/main/20250812_2.md	Exploit
https://github.com/August829/Yu/blob/main/20250812_2.md#poc	Exploit
https://vuldb.com/?ctiid.321233	Permissions Required VDB Entry
https://vuldb.com/?id.321233	Third Party Advisory VDB Entry
https://vuldb.com/?submit.632530	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:vvveb:vvveb:*:*:*:*:*:*:*:*

History

27 Aug 2025, 19:01

Type	Values Removed	Values Added
CPE		cpe:2.3:a:vvveb:vvveb::::::::
First Time		Vvveb Vvveb vvveb
References	~~() https://github.com/August829/Yu/blob/main/20250812_2.md -~~	() https://github.com/August829/Yu/blob/main/20250812_2.md - Exploit
References	~~() https://github.com/August829/Yu/blob/main/20250812_2.md#poc -~~	() https://github.com/August829/Yu/blob/main/20250812_2.md#poc - Exploit
References	~~() https://vuldb.com/?ctiid.321233 -~~	() https://vuldb.com/?ctiid.321233 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.321233 -~~	() https://vuldb.com/?id.321233 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.632530 -~~	() https://vuldb.com/?submit.632530 - Third Party Advisory, VDB Entry

25 Aug 2025, 20:24

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en givanz Vvveb hasta la versión 1.0.7.2. Afecta a una función desconocida del archivo /system/traits/media.php. La manipulación del argumento files[] puede provocar una carga sin restricciones. El ataque puede ejecutarse en remoto. Se ha hecho público el exploit y puede que sea utilizado. Se recomienda aplicar un parche para resolver este problema. El responsable del código explica que "corrigió el código para eliminar esta vulnerabilidad y publicará una nueva versión".

24 Aug 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-24 23:15

Updated : 2025-08-27 19:01

NVD link : CVE-2025-9397

Mitre link : CVE-2025-9397

CVE.ORG link : CVE-2025-9397

JSON object : View

Products Affected

vvveb

vvveb

CWE

CWE-284

Improper Access Control

CWE-434

Unrestricted Upload of File with Dangerous Type

6.3 /10