CVE-2025-13238 – Bdtask Flight Booking Software 4 contains an un... (How to Fix)

Q: What is the severity of CVE-2025-13238?

CVE-2025-13238 has a CVSS score of 6.3 (MEDIUM). Bdtask Flight Booking Software 4 contains an unrestricted file upload vulnerability in the agent profile edit functionality. Attackers can remotely upload malicious files to the server, potentially leading to code execution or system compromise. All systems running the vulnerable software version are affected.

📋 TL;DR

Bdtask Flight Booking Software 4 contains an unrestricted file upload vulnerability in the agent profile edit functionality. Attackers can remotely upload malicious files to the server, potentially leading to code execution or system compromise. All systems running the vulnerable software version are affected.

💻 Affected Systems

Products:

Bdtask Flight Booking Software

Versions: Version 4

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /agent/profile/edit endpoint specifically. No special configuration required for exploitation.

📦 What is this software?

Flight Booking Software by Bdtask

View all CVEs affecting Flight Booking Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, file manipulation, and potential privilege escalation.

🟢

If Mitigated

File upload attempts blocked or sanitized, limiting impact to failed upload attempts.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available. The vulnerability is straightforward to exploit with basic web attack tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider alternative software or implement workarounds.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block file uploads to the vulnerable endpoint or restrict file types.

File Upload Validation

all

Implement server-side file type validation, size limits, and content inspection for uploads.

🧯 If You Can't Patch

Isolate the affected system from critical networks and implement strict network segmentation.
Implement application-level input validation and file upload restrictions at the web server or reverse proxy level.

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a test file (e.g., .txt, .php) to /agent/profile/edit endpoint and check if it's accepted without proper validation.

Check Version:

Check software version in admin panel or configuration files. Exact command depends on deployment.

Verify Fix Applied:

Test file upload functionality with various file types to ensure proper validation and rejection of malicious files.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /agent/profile/edit
Uploads of executable file types (.php, .jsp, .asp)
Large number of upload requests from single IP

Network Indicators:

HTTP POST requests to /agent/profile/edit with file uploads
Subsequent requests to uploaded files

SIEM Query:

source="web_logs" AND (uri="/agent/profile/edit" AND method="POST" AND content_type="multipart/form-data")

📊 Metadata

CVE ID: CVE-2025-13238

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (14.8th percentile)

Published: November 16, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/4m3rr0r/PoCVulDb/issues/6 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.332564 Permissions Required,VDB Entry
https://vuldb.com/?id.332564 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.686895 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13238, you might also want to check these: