CVE-2025-12223 – This vulnerability in Bdtask Flight Booking Sof... (How to Fix)

Q: What is the severity of CVE-2025-12223?

CVE-2025-12223 has a CVSS score of 6.3 (MEDIUM). This vulnerability in Bdtask Flight Booking Software allows attackers to upload arbitrary files without restrictions via the Package Information Module. This affects all systems running vulnerable versions of the software. Remote attackers can exploit this to potentially execute malicious code on affected servers.

📋 TL;DR

This vulnerability in Bdtask Flight Booking Software allows attackers to upload arbitrary files without restrictions via the Package Information Module. This affects all systems running vulnerable versions of the software. Remote attackers can exploit this to potentially execute malicious code on affected servers.

💻 Affected Systems

Products:

Bdtask Flight Booking Software

Versions: Up to version 3.1

Operating Systems: Any OS running the software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /b2c/package-information endpoint in the Package Information Module.

📦 What is this software?

Flight Booking Software by Bdtask

View all CVEs affecting Flight Booking Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, data exfiltration, and further exploitation of the server.

🟢

If Mitigated

Limited impact with proper file upload validation, web application firewalls, and restricted server permissions.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing web applications.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk depends on internal segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in GitHub repositories; manipulation leads to unrestricted file upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider upgrading to version 3.2 or later if released, or apply workarounds.

🔧 Temporary Workarounds

Implement File Upload Restrictions

all

Configure web server or application to restrict file uploads to specific extensions and validate file content.

Disable Package Information Module

all

Temporarily disable or restrict access to the /b2c/package-information endpoint if not required.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious file upload attempts
Restrict server permissions to prevent execution of uploaded files in web directories

🔍 How to Verify

Check if Vulnerable:

Check if running Bdtask Flight Booking Software version 3.1 or earlier and test file upload functionality at /b2c/package-information.

Check Version:

Check software version in admin panel or configuration files.

Verify Fix Applied:

Test if file upload restrictions are properly enforced and malicious uploads are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activity to /b2c/package-information
Uploads of executable files (e.g., .php, .jsp, .asp)

Network Indicators:

HTTP POST requests to /b2c/package-information with file uploads
Unusual outbound connections from web server

SIEM Query:

source="web_server" AND (uri="/b2c/package-information" AND method="POST") AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")

📊 Metadata

CVE ID: CVE-2025-12223

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (14.8th percentile)

Published: October 27, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/4m3rr0r/PoCVulDb/blob/main/CVE-2025-12223.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.329893 Permissions Required,VDB Entry
https://vuldb.com/?id.329893 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.673436 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12223, you might also want to check these: