Login Sign Up

CVE-2025-3298

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in SourceCodester Online Eyewear Shop 1.0 allows attackers to bypass access controls through manipulation of the email parameter in the registration handler. Attackers can exploit this remotely to potentially gain unauthorized access to restricted functionality. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • SourceCodester Online Eyewear Shop
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects the web application component and is independent of underlying operating system.

📦 What is this software?

Online Eyewear Shop by Oretnom23

View all CVEs affecting Online Eyewear Shop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative privileges, modify product data, or access sensitive user information through the compromised registration handler.

🟠

Likely Case

Unauthorized users could register accounts with elevated privileges or bypass intended access restrictions in the eyewear shop system.

🟢

If Mitigated

With proper input validation and access controls, the vulnerability would be prevented from being exploited.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation and sanitization of email parameter in the registration handler

Modify /oews/classes/Master.php to validate email format and restrict special characters

Access Control Hardening

all

Add proper authentication checks before processing registration requests

Add session validation and role-based access controls to save_product function

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block suspicious email parameter manipulation
  • Restrict access to the vulnerable endpoint using network segmentation or IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Test if email parameter manipulation in /oews/classes/Master.php?f=save_product bypasses access controls

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that email parameter manipulation no longer allows unauthorized access to restricted functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual registration attempts with manipulated email parameters
  • Multiple failed access attempts to restricted functions

Network Indicators:

  • HTTP POST requests to /oews/classes/Master.php with unusual email parameters

SIEM Query:

source="web_logs" AND uri="/oews/classes/Master.php" AND (email CONTAINS "'" OR email CONTAINS "\"" OR email CONTAINS "<" OR email CONTAINS ">")

📊 Metadata

CVE ID: CVE-2025-3298
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-266
EPSS Score: 0.23% exploit probability (45.1th percentile)
Published: April 5, 2025
Last Updated: April 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3298, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)