Plateforme
php
Composant
08cms-novel-system
Corrigé dans
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
A code injection vulnerability has been identified in 08CMS Novel System versions 3.0 to 3.4. This flaw resides within the component's Template Handler, specifically the file admina/mtpls.inc.php, allowing attackers to inject and potentially execute malicious code. The vulnerability is remotely exploitable and has been publicly disclosed, increasing the risk of immediate exploitation. A patch is available in version 3.4.1.
Successful exploitation of CVE-2025-15250 allows an attacker to inject and execute arbitrary code on the affected server. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The attacker could potentially gain control of the entire 08CMS Novel System installation, impacting any sensitive data stored within the system, such as user credentials, novel content, or administrative settings. Given the remote accessibility of the vulnerability, the blast radius extends to anyone with network access to the server.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While no specific active campaigns have been reported, the availability of public information makes it a prime target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, but its public disclosure warrants close monitoring. The ease of exploitation suggests a medium probability of exploitation.
Organizations utilizing 08CMS Novel System for content management, particularly those hosting the system on shared hosting environments or with limited security controls, are at increased risk. Legacy installations with outdated configurations and weak access controls are also particularly vulnerable.
• php: Examine web server access logs for requests targeting admina/mtpls.inc.php with unusual parameters or file extensions.
grep -i 'admina/mtpls.inc.php' /var/log/apache2/access.log• php: Search for recently modified files within the 08CMS Novel System installation directory, particularly admina/mtpls.inc.php, for suspicious code.
find /path/to/08cms/ -type f -mtime -1• generic web: Use curl to test for the existence of the admina/mtpls.inc.php endpoint and observe the response for any unexpected behavior or error messages.
curl -I http://your-08cms-server.com/admina/mtpls.inc.phpdisclosure
Statut de l'Exploit
EPSS
0.06% (percentile 17%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-15250 is to immediately upgrade 08CMS Novel System to version 3.4.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests targeting the vulnerable admina/mtpls.inc.php file. Additionally, restrict access to the admin panel using strong authentication and network segmentation to limit potential damage. Monitor system logs for suspicious activity related to file uploads or code execution.
Mettez à jour vers une version corrigée de 08CMS Novel System qui résout la vulnérabilité d'injection de code. Si aucune version corrigée n'est disponible, envisagez de désactiver ou de supprimer le composant Template Handler (admina/mtpls.inc.php) jusqu'à ce qu'une solution puisse être appliquée. Consultez les références fournies pour plus de détails et d'éventuelles mesures d'atténuation.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-15250 is a code injection vulnerability affecting 08CMS Novel System versions 3.0 through 3.4, allowing attackers to execute arbitrary code via the admina/mtpls.inc.php file.
If you are running 08CMS Novel System versions 3.0, 3.1, 3.2, 3.3, or 3.4, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade 08CMS Novel System to version 3.4.1 or later to patch this vulnerability. As a temporary workaround, implement a WAF rule to block requests to admina/mtpls.inc.php.
While no confirmed active campaigns are currently reported, the public disclosure of this vulnerability increases the risk of exploitation.
Refer to the 08CMS Novel System official website or security advisory channels for the latest information and updates regarding CVE-2025-15250.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.