Bdtask Flight Booking Software CVE-2025-12222
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Bdtask Flight Booking Software up to 3.1. Affected by this issue is some unknown functionality of the file /admin/transaction/deposit of the component Deposit Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload in Bdtask Flight Booking Software up to version 3.1 allows authenticated remote attackers to upload arbitrary files via the /admin/transaction/deposit endpoint. The vulnerability requires valid user credentials (PR:L in CVSS vector) but grants attackers capability to upload files with minimal scope impact. Public exploit code is available, though the very low EPSS score (0.02%) and lack of CISA KEV listing suggest limited real-world exploitation despite disclosure.
Technical ContextAI
The vulnerability exists in the Deposit Handler component that processes file uploads at the /admin/transaction/deposit endpoint. CWE-284 (Improper Access Control) indicates insufficient validation of upload requests, likely missing or bypassed file type, size, or path restrictions. The endpoint accepts authenticated requests (PR:L per CVSS vector) but does not properly constrain what files may be uploaded or where they are stored. This is a classic unrestricted upload flaw common in web applications that lack file extension whitelisting, MIME type validation, or server-side execution prevention.
RemediationAI
Upgrade Bdtask Flight Booking Software to a version later than 3.1 if available from the vendor. However, given the vendor's documented non-response to disclosure, no official patched version has been confirmed. As immediate compensating controls, implement strict access restrictions on the /admin/transaction/deposit endpoint using web application firewall rules or reverse proxy authentication to allow only trusted administrators. Disable or restrict the file upload functionality in the Deposit Handler if not actively required for business operations. Implement server-side file upload validation including strict MIME type whitelisting, file extension restrictions, and storage outside the web root to prevent direct execution. Monitor upload activity for anomalous file types or sizes. If the vendor remains unresponsive, consider migrating to an actively maintained flight booking platform.
More in Flight Booking Software
View allSame weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today