299Ko CMS CVE-2025-8265
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical has been found in 299Ko CMS 2.0.0. This affects an unknown part of the file /admin/filemanager/view of the component File Management. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
File upload restriction bypass in 299Ko CMS 2.0.0 allows authenticated administrators to upload arbitrary files via the /admin/filemanager/view endpoint, classified as critical but constrained by high-privilege requirement. The vulnerability stems from improper access controls in the file management component (CWE-284). While a public exploit disclosure exists, the EPSS score of 0.06% and CVSS 2.0 reflect the mitigation factor of administrator-level privileges required (PR:H), making real-world exploitation practical only against compromised or malicious admin accounts.
Technical ContextAI
The vulnerability affects the file management component in 299Ko CMS 2.0.0, specifically the /admin/filemanager/view endpoint. CWE-284 (Improper Access Control) indicates the root cause is inadequate validation of file upload operations, permitting authenticated high-privilege users to circumvent file type restrictions or upload to unauthorized directories. The file management functionality typically handles document or asset uploads for content management; insufficient server-side validation of upload parameters (such as file type, destination path, or content inspection) allows bypass of intended upload restrictions. This is a privilege escalation or authorization flaw rather than a pre-authentication bypass, since CVSS vector PR:H confirms administrator credentials are required to trigger the vulnerability.
Affected ProductsAI
299Ko CMS version 2.0.0 is affected, specifically the file management component accessible at /admin/filemanager/view. No other versions or product variants are documented in the available references. No CVE entries linking to specific CPE strings or vendor official advisories were located; vulnerability tracking is limited to VulDB entries (ctiid.317853, id.317853) and the public disclosure GitHub reference.
RemediationAI
No vendor-released patch has been identified at time of analysis, given the vendor's non-response to the disclosure. Immediate mitigations include: (1) Restrict administrative access via network segmentation or VPN requirement - limit /admin/* endpoints to trusted IP ranges only; (2) Implement file upload restrictions at the web server level (e.g., nginx/Apache allow-list for .pdf/.jpg only, block .php/.exe/.jar) to prevent execution of uploaded malicious files even if the CMS upload validation is bypassed; (3) Disable the file management feature entirely if not actively used, or move it behind additional authentication (e.g., IP whitelist plus password); (4) Monitor file uploads to the managed directory for suspicious file types or sizes; (5) If upgrading is possible, contact 299Ko for a patched version or consider migration to a supported CMS with active security maintenance. Upload directory should never have executable permissions (.htaccess deny execution, or place uploads outside webroot). These controls reduce blast radius but do not eliminate the vulnerability - long-term remediation requires vendor patch or product replacement.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today