Login Sign Up

CVE-2025-13200

5.3 MEDIUM

📋 TL;DR

This vulnerability in SourceCodester Farm Management System 1.0 allows attackers to remotely view directory listings, potentially exposing sensitive files and system information. Any organization using this specific version of the software is affected. The vulnerability enables information disclosure without requiring authentication.

💻 Affected Systems

Products:
  • SourceCodester Farm Management System
Versions: 1.0
Operating Systems: Any OS running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects the web application component and is independent of the underlying operating system.

📦 What is this software?

Farm Management System by Janobe

View all CVEs affecting Farm Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers discover and download sensitive configuration files, database backups, or credentials, leading to full system compromise or data breach.

🟠

Likely Case

Attackers enumerate directory structures to find vulnerable files, configuration details, or backup files that could facilitate further attacks.

🟢

If Mitigated

Directory listing is disabled, preventing information disclosure while the underlying vulnerability remains unpatched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit requires only web browser access or simple HTTP requests to vulnerable directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider alternative software.

🔧 Temporary Workarounds

Disable Directory Listing

all

Configure web server to prevent directory listing in vulnerable directories

For Apache: Add 'Options -Indexes' to .htaccess or httpd.conf
For Nginx: Add 'autoindex off;' to server block configuration

Restrict Access with Authentication

all

Implement authentication for accessing sensitive directories

For Apache: Use .htaccess with AuthType Basic
For Nginx: Use auth_basic directives

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block directory listing requests
  • Isolate the vulnerable system behind a reverse proxy that filters directory requests

🔍 How to Verify

Check if Vulnerable:

Access application directories via browser or curl and check if directory contents are displayed without index files

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Attempt to access directories and verify that directory listings are no longer displayed

📡 Detection & Monitoring

Log Indicators:

  • Multiple 200 OK responses to directory paths without specific file requests
  • Unusual access patterns to non-standard directories

Network Indicators:

  • HTTP requests ending with '/' or without file extensions returning directory listings

SIEM Query:

web.status_code=200 AND (url.path="/" OR url.path LIKE "%/") AND NOT (url.path LIKE "%.%" OR url.path LIKE "%/index.%")

📊 Metadata

CVE ID: CVE-2025-13200
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-548
EPSS Score: 0.05% exploit probability (15.3th percentile)
Published: November 15, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13200, you might also want to check these:

CVE-2025-28170 7.6

Grandstream GXP1628 IP phones with firmware version 1.0.4.130 or earlier have directory listing enab...

Same vulnerability type (CWE-548)
CVE-2024-22082 7.5

Unauthenticated directory listing vulnerability in Elspec G5 digital fault recorder web interface al...

Same vulnerability type (CWE-548)
CVE-2021-47718 7.5

OpenBMCS 2.4 contains an unauthenticated directory listing vulnerability that allows attackers to br...

Same vulnerability type (CWE-548)