Login Sign Up

CVE-2025-0973

5.4 MEDIUM
Path Traversal

📋 TL;DR

This critical vulnerability in CmsEasy 7.7.7.9 allows remote attackers to perform path traversal attacks via the select[] parameter in the backAll_action function. This could enable unauthorized file access or manipulation. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • CmsEasy
Versions: 7.7.7.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the admin_dir=admin&site=default parameters to be accessible, which may vary by installation.

📦 What is this software?

Cmseasy by Cmseasy

View all CVEs affecting Cmseasy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers could read, modify, or delete sensitive system files, potentially leading to complete system compromise or data exfiltration.

🟠

Likely Case

Attackers could access configuration files, source code, or database backups, potentially leading to credential theft or further exploitation.

🟢

If Mitigated

With proper file permissions and web server restrictions, impact would be limited to accessible files within the web directory.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or apply workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the select[] parameter to prevent directory traversal sequences.

Modify lib/admin/database_admin.php to validate select[] parameter against allowed values

Access Restriction

all

Restrict access to the vulnerable endpoint via web server configuration or firewall rules.

# Apache: <Location "/index.php?case=database&act=backAll">
    Order deny,allow
    Deny from all
</Location>
# Nginx: location ~* "\?case=database&act=backAll" { deny all; }

🧯 If You Can't Patch

  • Implement strict file permissions to limit web server access to sensitive directories.
  • Deploy a WAF (Web Application Firewall) with rules to block path traversal attempts.

🔍 How to Verify

Check if Vulnerable:

Check if your CmsEasy version is 7.7.7.9 and if the endpoint /index.php?case=database&act=backAll&admin_dir=admin&site=default is accessible.

Check Version:

Check CmsEasy version in admin panel or configuration files.

Verify Fix Applied:

Test the vulnerable endpoint with path traversal payloads to confirm they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing "case=database&act=backAll" with suspicious select[] parameters like "../" or "..\\"
  • Unusual file access patterns from web server process

Network Indicators:

  • HTTP requests to vulnerable endpoint with traversal sequences in parameters

SIEM Query:

source="web_logs" AND uri="*case=database&act=backAll*" AND (param="*../*" OR param="*..\\*")

📊 Metadata

CVE ID: CVE-2025-0973
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-22
EPSS Score: 0.15% exploit probability (35.2th percentile)
Published: February 3, 2025
Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0973, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)