Skip to main content

299Ko CMS CVE-2025-8265

LOW
Improper Access Control (CWE-284)
2025-07-28 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:17 vuln.today

DescriptionCVE.org

A vulnerability classified as critical has been found in 299Ko CMS 2.0.0. This affects an unknown part of the file /admin/filemanager/view of the component File Management. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

File upload restriction bypass in 299Ko CMS 2.0.0 allows authenticated administrators to upload arbitrary files via the /admin/filemanager/view endpoint, classified as critical but constrained by high-privilege requirement. The vulnerability stems from improper access controls in the file management component (CWE-284). While a public exploit disclosure exists, the EPSS score of 0.06% and CVSS 2.0 reflect the mitigation factor of administrator-level privileges required (PR:H), making real-world exploitation practical only against compromised or malicious admin accounts.

Technical ContextAI

The vulnerability affects the file management component in 299Ko CMS 2.0.0, specifically the /admin/filemanager/view endpoint. CWE-284 (Improper Access Control) indicates the root cause is inadequate validation of file upload operations, permitting authenticated high-privilege users to circumvent file type restrictions or upload to unauthorized directories. The file management functionality typically handles document or asset uploads for content management; insufficient server-side validation of upload parameters (such as file type, destination path, or content inspection) allows bypass of intended upload restrictions. This is a privilege escalation or authorization flaw rather than a pre-authentication bypass, since CVSS vector PR:H confirms administrator credentials are required to trigger the vulnerability.

Affected ProductsAI

299Ko CMS version 2.0.0 is affected, specifically the file management component accessible at /admin/filemanager/view. No other versions or product variants are documented in the available references. No CVE entries linking to specific CPE strings or vendor official advisories were located; vulnerability tracking is limited to VulDB entries (ctiid.317853, id.317853) and the public disclosure GitHub reference.

RemediationAI

No vendor-released patch has been identified at time of analysis, given the vendor's non-response to the disclosure. Immediate mitigations include: (1) Restrict administrative access via network segmentation or VPN requirement - limit /admin/* endpoints to trusted IP ranges only; (2) Implement file upload restrictions at the web server level (e.g., nginx/Apache allow-list for .pdf/.jpg only, block .php/.exe/.jar) to prevent execution of uploaded malicious files even if the CMS upload validation is bypassed; (3) Disable the file management feature entirely if not actively used, or move it behind additional authentication (e.g., IP whitelist plus password); (4) Monitor file uploads to the managed directory for suspicious file types or sizes; (5) If upgrading is possible, contact 299Ko for a patched version or consider migration to a supported CMS with active security maintenance. Upload directory should never have executable permissions (.htaccess deny execution, or place uploads outside webroot). These controls reduce blast radius but do not eliminate the vulnerability - long-term remediation requires vendor patch or product replacement.

Share

CVE-2025-8265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy