Plataforma
php
Corregido en
1.0.1
A critical path traversal vulnerability has been identified in code-projects Document Management System versions 1.0. This flaw allows attackers to manipulate the 'ID' argument within the '/dell.php' file, potentially leading to unauthorized access and file disclosure. Affected versions include 1.0, and a patch is available in version 1.0.1.
The path traversal vulnerability in Document Management System allows an attacker to bypass intended access controls and read arbitrary files on the server. By crafting a malicious request that manipulates the 'ID' parameter in '/dell.php', an attacker can traverse directories and access sensitive data, such as configuration files, source code, or even user data. This could lead to data breaches, system compromise, and further exploitation. While the description doesn't specify a particular file, the potential for accessing critical system files is significant.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. The exploit is considered relatively straightforward, potentially lowering the barrier to entry for attackers. No KEV listing or EPSS score is currently available. The public disclosure date (2025-08-01) indicates that attackers may already be actively scanning for vulnerable systems.
Organizations using the code-projects Document Management System in versions 1.0 are at risk. This includes those deploying the system on shared hosting environments, as the vulnerability could be exploited to access files on other users' accounts. Systems with default configurations or those lacking robust input validation are particularly vulnerable.
• php / web:
curl -I 'http://your-server/dell.php?ID=../../../../etc/passwd' | grep 'HTTP/1.1 200 OK'• generic web:
curl -I 'http://your-server/dell.php?ID=../../../../etc/passwd' | grep '403 Forbidden'• generic web:
grep -r 'dell.php?ID=' /var/log/apache2/access.logdisclosure
Estado del Exploit
EPSS
0.07% (22% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-8433 is to upgrade to version 1.0.1 of the Document Management System. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing path traversal sequences in the 'ID' parameter of '/dell.php'. Specifically, block requests containing sequences like '../' or '\\'. Additionally, review file permissions on the server to ensure that sensitive files are not accessible by the web server user. After upgrading, confirm the fix by attempting to access a file outside the intended directory via the /dell.php endpoint; access should be denied.
Actualizar a una versión parcheada del sistema de gestión de documentos. Si no hay una versión parcheada disponible, revisar y sanear la entrada del parámetro ID en el archivo dell.php para evitar el recorrido de directorios (path traversal). Validar que el archivo a eliminar se encuentre dentro del directorio esperado.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-8433 is a path traversal vulnerability in Document Management System versions 1.0, allowing attackers to access unauthorized files by manipulating the 'ID' parameter in '/dell.php'.
You are affected if you are using Document Management System version 1.0. Upgrade to version 1.0.1 to mitigate the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement a WAF rule to block requests containing path traversal sequences in the '/dell.php' endpoint.
While no confirmed exploitation is publicly reported, the vulnerability has been disclosed, increasing the risk of exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-8433.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.