Document Management System
CVE-2025-8171
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in code-projects Document Management System 1.0. This issue affects some unknown processing of the file /insert.php. The manipulation of the argument uploaded_file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Unrestricted file upload in code-projects Document Management System 1.0 via the /insert.php endpoint allows authenticated remote attackers to upload arbitrary files by manipulating the uploaded_file parameter, potentially enabling remote code execution or data exfiltration. Publicly available exploit code exists, though EPSS score of 0.06% suggests limited real-world exploitation likelihood due to low attack impact and authenticated access requirement.
Technical ContextAI
The vulnerability resides in the /insert.php file of Document Management System 1.0, which handles file uploads. The uploaded_file parameter lacks proper validation or restrictions on file types, sizes, or naming conventions, permitting attackers to bypass intended upload controls. CWE-284 (Improper Access Control) indicates the root cause is inadequate authorization checks or missing file type validation. The PHP-based application processes user-supplied file input without sanitization or server-side enforcement of allowed file extensions or MIME types.
RemediationAI
Apply a patched version from the vendor if available via https://code-projects.org/. If no vendor patch is released, immediately implement server-side file type validation by maintaining a whitelist of allowed file extensions (e.g., .pdf, .docx, .txt) and verifying MIME types server-side rather than relying on user-supplied headers. Rename uploaded files to remove executable extensions and store them outside the web root to prevent direct access. Restrict write permissions on the upload directory to prevent PHP/CGI execution by configuring the web server (Apache: php_flag engine off; nginx: deny .php execution in upload path). Additionally, implement rate limiting on /insert.php to mitigate automated exploitation, and audit existing uploads for suspicious files. If unavoidable, restrict access to /insert.php to specific IP ranges or require additional authentication factors.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today