CVE-2025-15110 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2025-15110?

CVE-2025-15110 has a CVSS score of 4.7 (MEDIUM). This vulnerability allows remote attackers to upload arbitrary files to the jackq XCMS backend through the ProductImageController. Affected systems are those running XCMS up to commit 3fab5342cc509945a7ce1b8ec39d19f701b89261 with the backend accessible. Attackers can exploit this to upload malicious files like webshells.

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files to the jackq XCMS backend through the ProductImageController. Affected systems are those running XCMS up to commit 3fab5342cc509945a7ce1b8ec39d19f701b89261 with the backend accessible. Attackers can exploit this to upload malicious files like webshells.

💻 Affected Systems

Products:

jackq XCMS

Versions: Up to commit 3fab5342cc509945a7ce1b8ec39d19f701b89261

Operating Systems: Any OS running XCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with backend/admin interface accessible. Rolling release model means specific version numbers unavailable.

📦 What is this software?

Xcms by Jackq

View all CVEs affecting Xcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via webshell upload leading to remote code execution, data theft, and lateral movement.

🟠

Likely Case

Unauthorized file upload leading to defacement, malware hosting, or limited code execution depending on file type restrictions.

🟢

If Mitigated

Upload attempts are blocked or logged, preventing successful exploitation.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication.

🏢 Internal Only: MEDIUM - Requires backend access but still exploitable from internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit disclosed publicly on Gitee issue tracker. Simple file upload manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to vulnerability report.

🔧 Temporary Workarounds

Restrict backend access

all

Block external access to Admin/Home/Controller/ProductImageController.class.php and backend interfaces

# Use firewall rules to restrict access to backend paths
# Example: iptables -A INPUT -p tcp --dport 80 -m string --string "Admin/Home/Controller/ProductImageController" --algo bm -j DROP

Implement file upload validation

all

Add server-side validation for file types, extensions, and content

# Modify ProductImageController.class.php to validate file extensions and MIME types
# Example PHP: if (!in_array($file_ext, ['jpg', 'png', 'gif'])) { die('Invalid file type'); }

🧯 If You Can't Patch

Disable file upload functionality in backend completely
Implement WAF rules to block malicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check if your XCMS version includes commit 3fab5342cc509945a7ce1b8ec39d19f701b89261 or earlier. Test by attempting to upload a non-image file to the product image upload endpoint.

Check Version:

git log --oneline -1 # Check latest commit hash in XCMS installation

Verify Fix Applied:

Verify file upload restrictions are in place by testing with various file types. Check that only allowed extensions are accepted.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to Admin/Home/Controller/ProductImageController
Uploads of non-image file types (.php, .exe, .sh)
Large number of upload attempts

Network Indicators:

POST requests to ProductImageController with unusual file extensions
Traffic patterns suggesting file upload exploitation

SIEM Query:

source="web_logs" AND uri="*ProductImageController*" AND (file_ext="php" OR file_ext="exe" OR file_ext="sh")

📊 Metadata

CVE ID: CVE-2025-15110

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (16th percentile)

Published: December 27, 2025

Last Updated: February 24, 2026

🔗 References

https://gitee.com/jackq/XCMS/
https://gitee.com/jackq/XCMS/issues/IDC5C8 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.338481 Permissions Required,VDB Entry
https://vuldb.com/?id.338481 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.711702 Third Party Advisory,VDB Entry
https://gitee.com/jackq/XCMS/issues/IDC5C8 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15110, you might also want to check these: