CVE-2025-3960 – CVE-2025-3960 is a critical missing authorizati... (How to Fix)

Q: What is the severity of CVE-2025-3960?

CVE-2025-3960 has a CVSS score of 7.3 (HIGH). CVE-2025-3960 is a critical missing authorization vulnerability in withstars Books-Management-System 1.0 that allows unauthenticated attackers to access the background interface via the /allreaders.html file. This affects all deployments of version 1.0, particularly those exposed to untrusted networks. The software is no longer supported by the maintainer, leaving systems permanently vulnerable.

📋 TL;DR

CVE-2025-3960 is a critical missing authorization vulnerability in withstars Books-Management-System 1.0 that allows unauthenticated attackers to access the background interface via the /allreaders.html file. This affects all deployments of version 1.0, particularly those exposed to untrusted networks. The software is no longer supported by the maintainer, leaving systems permanently vulnerable.

💻 Affected Systems

Products:

withstars Books-Management-System

Versions: 1.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are affected. The software is end-of-life with no vendor support.

📦 What is this software?

Books Management System by Withstars

View all CVEs affecting Books Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the books management system allowing unauthorized access to sensitive data, modification of records, and potential privilege escalation to administrative functions.

🟠

Likely Case

Unauthorized viewing and manipulation of book records, user data, and system configuration through the exposed background interface.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation, though internal threats may still exist.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances immediately vulnerable to attack.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable to insider threats or compromised internal hosts, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com, making this easily exploitable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - software is end-of-life

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch exists. Consider migrating to supported alternative software or implementing compensating controls.

🔧 Temporary Workarounds

Access Control via Web Server

all

Implement IP-based or authentication restrictions at the web server level to block unauthorized access to /allreaders.html

# Apache example: <Location /allreaders.html> Require ip 192.168.1.0/24 </Location>
# Nginx example: location /allreaders.html { allow 192.168.1.0/24; deny all; }

File Removal/Rename

linux

Remove or rename the vulnerable /allreaders.html file to prevent exploitation

mv /path/to/allreaders.html /path/to/allreaders.html.disabled
rm /path/to/allreaders.html

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Books-Management-System from untrusted networks
Deploy a web application firewall (WAF) with rules to block unauthorized access to the background interface

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[target]/allreaders.html without authentication. If the background interface loads, the system is vulnerable.

Check Version:

Check application documentation or configuration files for version information, typically in README files or about pages.

Verify Fix Applied:

Verify that accessing /allreaders.html returns 403/404 or requires proper authentication after implementing workarounds.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to /allreaders.html from unauthorized IPs
Unusual access patterns to background interface endpoints

Network Indicators:

Unusual traffic to /allreaders.html path
Requests to background interface from unexpected sources

SIEM Query:

source="web_server_logs" AND (url_path="/allreaders.html" OR user_agent="*scanner*") AND response_code=200

📊 Metadata

CVE ID: CVE-2025-3960

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-862

EPSS Score: 0.15% exploit probability (35.2th percentile)

Published: April 27, 2025

Last Updated: May 12, 2025

🔗 References

https://github.com/caigo8/CVE-md/blob/main/Books-Management-System/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md Exploit
https://vuldb.com/?ctiid.306296 Permissions Required,VDB Entry
https://vuldb.com/?id.306296 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.557230 Third Party Advisory,VDB Entry
https://github.com/caigo8/CVE-md/blob/main/Books-Management-System/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3960, you might also want to check these: