Login Sign Up

CVE-2025-15360

4.7 MEDIUM

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files to newbee-mall-plus 2.0.0 through the product information edit page. Attackers can exploit this to upload malicious files like web shells, potentially leading to server compromise. Any system running the vulnerable version with the upload functionality accessible is affected.

💻 Affected Systems

Products:
  • newbee-mall-plus
Versions: 2.0.0
Operating Systems: Any OS running Java applications
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the upload functionality in the product information edit page specifically

📦 What is this software?

Newbee Mall Plus by Newbee Ltd

View all CVEs affecting Newbee Mall Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover via web shell upload leading to data theft, ransomware deployment, or use as attack platform

🟠

Likely Case

Web shell upload enabling persistent backdoor access, data exfiltration, or lateral movement

🟢

If Mitigated

File uploads restricted to authorized users only with proper validation, limiting impact

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details publicly disclosed on GitHub; vendor unresponsive to disclosure

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and file type restrictions in UploadController.java

🔧 Temporary Workarounds

Implement file upload validation

all

Add server-side validation to restrict file types, extensions, and content

Modify src/main/java/ltd/newbee/mall/controller/common/UploadController.java to validate file types, extensions, and MIME types

Disable upload functionality

all

Temporarily disable the vulnerable upload endpoint

Comment out or remove upload mapping in UploadController.java
Add @RequestMapping restriction to limit access

🧯 If You Can't Patch

  • Implement WAF rules to block suspicious file uploads and known exploit patterns
  • Restrict network access to the upload endpoint using firewall rules or network segmentation

🔍 How to Verify

Check if Vulnerable:

Check if running newbee-mall-plus 2.0.0 and test file upload with restricted extensions like .jsp, .php, .exe

Check Version:

Check pom.xml or application properties for version information

Verify Fix Applied:

Test upload functionality with malicious file types to ensure they are rejected

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads with suspicious extensions
  • Multiple failed upload attempts
  • Uploads from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to upload endpoints with unusual file types
  • Traffic patterns indicating file upload exploitation

SIEM Query:

source="web_server" AND (uri="/upload" OR uri CONTAINS "upload") AND (file_extension IN ("jsp", "php", "exe", "war"))

📊 Metadata

CVE ID: CVE-2025-15360
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.05% exploit probability (16th percentile)
Published: December 30, 2025
Last Updated: January 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15360, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)