baowzh hfly CVE-2025-14520
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. Impacted is an unknown function of the file /admin/index.php/datafile/delfile. This manipulation of the argument filename causes path traversal. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Arbitrary file deletion via path traversal in baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c allows authenticated remote attackers to delete files by manipulating the filename parameter in /admin/index.php/datafile/delfile. The vulnerability has public exploit code available but remains low-risk due to authentication requirement and limited scope (information integrity impact only).
Technical ContextAI
The vulnerability exists in a PHP-based travel website CMS (hfly) that processes file deletion requests through an admin endpoint. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal'), where user-supplied input in the filename parameter is not properly validated before use in file system operations. The /admin/index.php/datafile/delfile endpoint fails to sanitize path traversal sequences (such as ../ or absolute paths), enabling attackers to construct requests that reference files outside the intended deletion directory. The product uses a rolling release model, meaning fixes are deployed continuously rather than through traditional versioning.
RemediationAI
No vendor-released patch with a confirmed fix version has been identified at time of analysis due to the vendor's non-responsiveness and rolling release model. Security teams should: (1) Review the commit history of baowzh hfly repository after 638ff9abe9078bc977c132b37acbe1900b63491c for any patches to /admin/index.php/datafile/delfile's filename parameter handling, particularly implementation of path canonicalization and whitelisting; (2) As immediate compensating controls, restrict network access to /admin/* endpoints using a Web Application Firewall or reverse proxy, allowing only known administrative IP addresses; (3) Implement strict input validation on the filename parameter to reject path traversal sequences (../, ..\, absolute paths starting with / or drive letters); (4) Apply the principle of least privilege to the PHP execution user, ensuring it cannot delete critical system files; (5) Enable and monitor access logs for DELETE requests to /admin/index.php/datafile/delfile with unusual filename patterns. These controls trade operational flexibility for security; restrict administrative access carefully to avoid blocking legitimate operations.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today