Platform
php
Component
innoshop
Fixed in
0.4.2
CVE-2025-52922 describes a directory traversal vulnerability discovered in InnoShop versions 0 through 0.4.1. This flaw allows authenticated attackers with access to the admin panel to traverse directories and potentially access sensitive files on the server. A fix is available in version 0.4.2, and users are strongly encouraged to upgrade immediately.
The directory traversal vulnerability in InnoShop presents a significant security risk. An attacker who can authenticate as an administrator can leverage the /api/file_manager endpoints to perform a wide range of malicious actions. They can map the entire filesystem structure, create arbitrary directories, read sensitive files by copying them to accessible locations, and even delete files. This could lead to complete compromise of the server, including data exfiltration, code execution, and denial of service. The ability to map the filesystem provides reconnaissance capabilities, allowing an attacker to identify valuable targets for further exploitation.
CVE-2025-52922 was publicly disclosed on 2025-06-23. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. While no exploit is currently known, the ease of exploitation (requiring only admin authentication) suggests a potential for future exploitation if left unpatched.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-52922 is to upgrade InnoShop to version 0.4.2 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict access to the /api/filemanager endpoints to only authorized users and implement strict input validation to prevent directory traversal attempts. Web application firewalls (WAFs) can be configured to block requests containing suspicious path traversal patterns, such as ../. Monitor access logs for unusual activity related to the /api/filemanager endpoints.
Actualice InnoShop a una versión posterior a 0.4.1 que corrija la vulnerabilidad de path traversal. Si no hay una versión disponible, considere deshabilitar o eliminar el componente FileManager hasta que se publique una solución. Revise y valide las configuraciones de seguridad del servidor web para mitigar el riesgo de acceso no autorizado al sistema de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52922 is a HIGH severity vulnerability allowing authenticated admins in InnoShop versions 0-0.4.1 to traverse directories and access sensitive files.
You are affected if you are using InnoShop versions 0 through 0.4.1 and have not upgraded to version 0.4.2 or later.
Upgrade InnoShop to version 0.4.2 or later. As a temporary workaround, restrict access to the /api/file_manager endpoints and implement input validation.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-52922, but the ease of exploitation warrants immediate attention.
Refer to the InnoShop project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.