Plateforme
php
Composant
windu-cms
Corrigé dans
4.1.1
CVE-2025-59114 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Windu CMS. This flaw allows an attacker to trick a user into unknowingly uploading malicious files to the server. The vulnerability impacts versions 0.0 through 4.1, and a patch is available in version 4.1 build 2250.
An attacker can exploit this CSRF vulnerability by crafting a malicious website. When a logged-in user of Windu CMS visits this website, the attacker can trigger an unauthorized file upload to the server. This could lead to the execution of arbitrary code, defacement of the website, or the compromise of sensitive data stored on the server. The potential damage is significant, as an attacker could gain complete control over the affected system. Successful exploitation hinges on the victim being authenticated within the Windu CMS application.
CVE-2025-59114 was publicly disclosed on 2025-11-18. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on CISA KEV. Exploitation probability is considered low due to the lack of publicly available exploits.
Websites and applications utilizing Windu CMS versions 0.0 through 4.1 are at risk. Shared hosting environments where multiple websites share the same server instance are particularly vulnerable, as a compromise of one website could potentially impact others. Administrators who have not implemented robust CSRF protection measures are also at increased risk.
• php / web:
curl -I <windu_cms_url>/upload.php?file=malicious.php• php / web: Check for suspicious file uploads in the Windu CMS file storage directory. • generic web: Monitor access logs for unusual POST requests to file upload endpoints. • generic web: Examine response headers for unexpected content types after file uploads.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 7%)
CISA SSVC
The primary mitigation for CVE-2025-59114 is to upgrade Windu CMS to version 4.1 build 2250. If upgrading is not immediately feasible, consider implementing CSRF protection mechanisms at the application level, such as adding CSRF tokens to file upload forms. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of defense. Review and restrict file upload permissions to minimize the impact of a successful attack.
Mettez à jour Windu CMS à la version 4.1 build 2250 ou supérieure. Cette mise à jour corrige la vulnérabilité de Cross-Site Request Forgery dans la fonctionnalité de téléversement de fichiers. La mise à jour peut être effectuée via le panneau d'administration du CMS ou en téléchargeant la dernière version du site web officiel.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-59114 is a Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS, allowing attackers to upload malicious files without user consent.
You are affected if you are using Windu CMS versions 0.0 through 4.1. Version 4.1 build 2250 is not affected.
Upgrade Windu CMS to version 4.1 build 2250. Implement CSRF protection measures if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the lack of a public PoC does not guarantee safety.
Refer to the Windu CMS official website or security advisories for the latest information and updates regarding CVE-2025-59114.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.