Skip to main content

Innoshop EUVDEUVD-2025-18867

| CVE-2025-52922 HIGH
Relative Path Traversal (CWE-23)
2025-06-23 cve@mitre.org
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18867
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 12:15 nvd
HIGH 7.4

DescriptionCVE.org

Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary directories on the server via the /api/file_manager/directories endpoint, (3) read arbitrary files from the server by copying the file to a readable location within the application via the /api/file_manager/copy_files endpoint, {4) delete arbitrary files from the server via a DELETE request to /api/file_manager/files, or (5) create arbitrary files on the server by uploading them and then leveraging the /api/file_manager/move_files endpoint to move them anywhere in the filesystem.

AnalysisAI

CVE-2025-52922 is a directory traversal vulnerability in Innoshop through version 0.4.1 that allows authenticated administrators to abuse multiple FileManager API endpoints to map the filesystem, create/delete arbitrary directories and files, read sensitive files, and move files anywhere on the server. With a CVSS score of 7.4 and low attack complexity, this represents a significant integrity and confidentiality risk for affected deployments, though exploitation requires valid administrative credentials.

Technical ContextAI

The vulnerability exploits improper input validation in Innoshop's FileManager API, specifically the base_folder parameter and file operation endpoints (/api/file_manager/files, /api/file_manager/directories, /api/file_manager/copy_files, /api/file_manager/move_files). The root cause is CWE-23 (Relative Path Traversal), which occurs when user-supplied input containing path traversal sequences (../) is not properly sanitized before being used in filesystem operations. This allows attackers to escape the intended application directory boundaries. Innoshop is a PHP-based e-commerce platform; the vulnerability affects versions up to and including 0.4.1. The FileManager functionality is typically used for managing product images, documents, and other media assets, making it a high-value attack surface.

RemediationAI

Immediate actions: (1) Upgrade Innoshop to a patched version >0.4.1 once available from the vendor (check official releases and security advisories); (2) If patched version unavailable, implement strict access controls restricting admin panel access to trusted IP ranges and multi-factor authentication for admin accounts; (3) Apply input validation/sanitization patches to FileManager API endpoints by checking for and rejecting path traversal sequences (../, ..\, encoded variants); (4) Disable FileManager API if not in use; (5) Conduct a filesystem audit to detect unauthorized directory creation or file modifications. Workarounds pending patch: implement a WAF rule blocking requests to /api/file_manager/* endpoints containing ../ or URL-encoded equivalents (%2e%2e/), restrict admin panel network access, and monitor FileManager API logs for suspicious base_folder parameters.

Share

EUVD-2025-18867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy