EUVD-2025-18867CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary directories on the server via the /api/file_manager/directories endpoint, (3) read arbitrary files from the server by copying the file to a readable location within the application via the /api/file_manager/copy_files endpoint, {4) delete arbitrary files from the server via a DELETE request to /api/file_manager/files, or (5) create arbitrary files on the server by uploading them and then leveraging the /api/file_manager/move_files endpoint to move them anywhere in the filesystem.
Analysis
CVE-2025-52922 is a directory traversal vulnerability in Innoshop through version 0.4.1 that allows authenticated administrators to abuse multiple FileManager API endpoints to map the filesystem, create/delete arbitrary directories and files, read sensitive files, and move files anywhere on the server. With a CVSS score of 7.4 and low attack complexity, this represents a significant integrity and confidentiality risk for affected deployments, though exploitation requires valid administrative credentials.
Technical Context
The vulnerability exploits improper input validation in Innoshop's FileManager API, specifically the base_folder parameter and file operation endpoints (/api/file_manager/files, /api/file_manager/directories, /api/file_manager/copy_files, /api/file_manager/move_files). The root cause is CWE-23 (Relative Path Traversal), which occurs when user-supplied input containing path traversal sequences (../) is not properly sanitized before being used in filesystem operations. This allows attackers to escape the intended application directory boundaries. Innoshop is a PHP-based e-commerce platform; the vulnerability affects versions up to and including 0.4.1. The FileManager functionality is typically used for managing product images, documents, and other media assets, making it a high-value attack surface.
Affected Products
Innoshop versions 0.4.1 and earlier. The CPE would likely be cpe:2.3:a:innoshop:innoshop:*:*:*:*:*:*:*:* with version constraint <=0.4.1. No specific vendor advisory link was provided in the intelligence sources, but organizations should check the official Innoshop GitHub repository (github.com/innoshop/innoshop) or vendor security advisories for patch releases. Affected installations are those with: (1) Innoshop 0.4.1 or older deployed, (2) FileManager API endpoints exposed, and (3) user accounts with admin/file management privileges.
Remediation
Immediate actions: (1) Upgrade Innoshop to a patched version >0.4.1 once available from the vendor (check official releases and security advisories); (2) If patched version unavailable, implement strict access controls restricting admin panel access to trusted IP ranges and multi-factor authentication for admin accounts; (3) Apply input validation/sanitization patches to FileManager API endpoints by checking for and rejecting path traversal sequences (../, ..\, encoded variants); (4) Disable FileManager API if not in use; (5) Conduct a filesystem audit to detect unauthorized directory creation or file modifications. Workarounds pending patch: implement a WAF rule blocking requests to /api/file_manager/* endpoints containing ../ or URL-encoded equivalents (%2e%2e/), restrict admin panel network access, and monitor FileManager API logs for suspicious base_folder parameters.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today