CVE-2025-13574 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2025-13574?

CVE-2025-13574 has a CVSS score of 4.7 (MEDIUM). This vulnerability allows remote attackers to upload arbitrary files to the Online Bidding System 1.0 administrator interface via the catimage parameter in the categoryadd function. Attackers can potentially upload malicious files like web shells to gain unauthorized access or execute code. Only systems running code-projects Online Bidding System 1.0 are affected.

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files to the Online Bidding System 1.0 administrator interface via the catimage parameter in the categoryadd function. Attackers can potentially upload malicious files like web shells to gain unauthorized access or execute code. Only systems running code-projects Online Bidding System 1.0 are affected.

💻 Affected Systems

Products:

code-projects Online Bidding System

Versions: 1.0

Operating Systems: Any OS running PHP web server (Linux, Windows, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator access to /administrator/addcategory.php endpoint; default installation appears vulnerable.

📦 What is this software?

Online Bidding System by Fabian

View all CVEs affecting Online Bidding System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment via uploaded web shells or malicious executables.

🟠

Likely Case

Unauthorized file upload leading to defacement, data manipulation, or limited server access depending on file execution permissions.

🟢

If Mitigated

File upload blocked or restricted to safe types, preventing exploitation while maintaining functionality.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist, making internet-facing instances prime targets.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk depends on internal threat landscape.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub; requires administrator credentials to access the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates, consider workarounds, or replace with alternative software.

🔧 Temporary Workarounds

Restrict File Upload Types

all

Modify addcategory.php to validate file extensions and MIME types, allowing only safe image formats (e.g., .jpg, .png).

Edit /administrator/addcategory.php to add server-side validation for catimage uploads.

Disable Vulnerable Endpoint

linux

Temporarily block access to /administrator/addcategory.php via web server configuration or authentication.

# Apache: Add to .htaccess
<Files "addcategory.php">
    Deny from all
</Files>
# Nginx: Add to server block
location /administrator/addcategory.php { deny all; }

🧯 If You Can't Patch

Implement strict network segmentation to isolate the bidding system from critical assets.
Deploy a web application firewall (WAF) with rules to block malicious file upload patterns.

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a non-image file (e.g., .php, .exe) via the /administrator/addcategory.php interface; if accepted, system is vulnerable.

Check Version:

Check system documentation or admin panel for version info; default is 1.0.

Verify Fix Applied:

Test file upload with restricted types; malicious files should be rejected with error messages.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /administrator/addcategory.php with non-image extensions
Large or frequent uploads from single IPs

Network Indicators:

HTTP POST requests to /administrator/addcategory.php with file uploads
Anomalous outbound connections post-upload

SIEM Query:

source="web_logs" AND uri="/administrator/addcategory.php" AND method="POST" AND (file_extension="php" OR file_extension="exe")

📊 Metadata

CVE ID: CVE-2025-13574

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.08% exploit probability (24.1th percentile)

Published: November 24, 2025

Last Updated: December 2, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.333338 Permissions Required,VDB Entry
https://vuldb.com/?id.333338 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.698717 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.698718 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13574, you might also want to check these: