easyimages2.0
修复版本
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
CVE-2025-13415 describes a cross-site scripting (XSS) vulnerability discovered in icret EasyImages versions 2.8.0 through 2.8.6. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the SVG Image Handler, specifically the /app/upload.php file. A fix is available in version 2.8.7.
The XSS vulnerability in icret EasyImages allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the website. Successful exploitation requires an attacker to control the 'File' argument within the /app/upload.php endpoint. The impact is amplified if the application handles sensitive user data or performs critical operations, as an attacker could leverage the injected script to gain unauthorized access or manipulate data. While the CVSS score is LOW, the potential for user compromise and website defacement remains a significant concern.
CVE-2025-13415 was publicly disclosed on 2025-11-19. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but the ease of exploitation (remote manipulation of an argument) warrants attention.
Websites and applications utilizing icret EasyImages versions 2.8.0 through 2.8.6 are at risk. This includes organizations using the component for image handling and potentially vulnerable to cross-site scripting attacks. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromised user account could be used to exploit the vulnerability and impact other users.
• php: Examine /app/upload.php for unsanitized input handling of the 'File' parameter. Search for instances where user-supplied data is directly outputted to the HTML without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['File']; // Vulnerable to XSS
?>• generic web: Use curl to test the /app/upload.php endpoint with a payload like <script>alert('XSS')</script> as the 'File' parameter. Check the response for the alert box.
curl 'http://your-easyimages-site/app/upload.php?File=<script>alert(\'XSS\')</script>'• generic web: Review access and error logs for suspicious requests to /app/upload.php containing potentially malicious script tags.
disclosure
漏洞利用状态
EPSS
0.05% (15% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13415 is to upgrade icret EasyImages to version 2.8.7 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'File' argument in /app/upload.php to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and restrict file upload permissions to prevent unauthorized file uploads. After upgrading, confirm the vulnerability is resolved by attempting to upload a file with a known malicious script payload and verifying that the script is not executed.
Actualice el plugin EasyImages a una versión posterior a 2.8.6, si está disponible, para corregir la vulnerabilidad XSS. Si no hay una versión corregida disponible, considere deshabilitar o eliminar el plugin hasta que se publique una actualización. Revise y valide las entradas de archivos SVG para prevenir la inyección de código malicioso.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13415 is a cross-site scripting (XSS) vulnerability affecting icret EasyImages versions 2.8.0 through 2.8.6, allowing attackers to inject malicious scripts.
You are affected if your icret EasyImages installation is running version 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, or 2.8.6. Upgrade to 2.8.7 or later to resolve the issue.
Upgrade icret EasyImages to version 2.8.7 or later. As a temporary measure, implement input validation and sanitization on the 'File' parameter in /app/upload.php.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the icret EasyImages website or security advisories for the official advisory regarding CVE-2025-13415.