Bdtask Flight Booking Software CVE-2025-12223
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Bdtask Flight Booking Software up to 3.1. This affects an unknown part of the file /b2c/package-information of the component Package Information Module. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload in Bdtask Flight Booking Software up to version 3.1 via the Package Information Module endpoint /b2c/package-information allows authenticated remote attackers to upload arbitrary files with low confidentiality and integrity impact. Publicly available exploit code exists; the vulnerability carries a low CVSS score (2.1) due to requiring prior authentication and limited scope, but the ease of exploitation (AC:L, public POC) and vendor non-responsiveness elevate practical risk for deployed instances.
Technical ContextAI
The vulnerability resides in the Package Information Module, a component of Bdtask Flight Booking Software's B2C interface. The affected endpoint /b2c/package-information implements a file upload mechanism without proper validation or restriction controls, enabling authenticated users to bypass intended upload constraints. This is classified under CWE-284 (Improper Access Control / Incorrect Permission Assignment), indicating the root cause is insufficient authorization checks on the upload functionality. The attack vector is network-based (AV:N), does not require user interaction (UI:N), and is accessible to authenticated users (PR:L in CVSS 4.0 vector), suggesting the vulnerability may exist in authenticated administrative or user-facing upload endpoints.
RemediationAI
No vendor-released patch identified at time of analysis; Bdtask has not responded to responsible disclosure attempts. Immediate mitigation options: (1) Upgrade to a version newer than 3.1 if available from Bdtask (requires direct vendor contact or community sources), (2) Restrict network access to the /b2c/package-information endpoint via web application firewall (WAF) or reverse proxy, allowing only trusted internal or administrative IP ranges, (3) Implement strict file type validation and upload directory restrictions at the application level if source code access is available, (4) Disable the Package Information Module feature entirely if not operationally required, (5) Enforce role-based access control to limit which user accounts can authenticate and access upload functionality. Organizations should document their chosen mitigation and monitor for vendor updates or community patches.
More in Flight Booking Software
View allSame weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today