CVE-2025-3268

A vulnerability has been found in qinguoyi TinyWebServer up to 1.0 and classified as critical. This vulnerability affects unknown code of the file http/http_conn.cpp. The manipulation of the argument m_url_real leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7	Broken Link
https://vuldb.com/?ctiid.303340	Permissions Required VDB Entry
https://vuldb.com/?id.303340	Third Party Advisory VDB Entry
https://vuldb.com/?submit.549229	Third Party Advisory VDB Entry
https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:qinguoyi:tinywebserver:*:*:*:*:*:*:*:*

History

23 Apr 2025, 13:11

Type	Values Removed	Values Added
First Time		Qinguoyi Qinguoyi tinywebserver
CPE		cpe:2.3:a:qinguoyi:tinywebserver::::::::
References	~~() https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7 -~~	() https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7 - Broken Link
References	~~() https://vuldb.com/?ctiid.303340 -~~	() https://vuldb.com/?ctiid.303340 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.303340 -~~	() https://vuldb.com/?id.303340 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.549229 -~~	() https://vuldb.com/?submit.549229 - Third Party Advisory, VDB Entry
CWE		NVD-CWE-noinfo

07 Apr 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7 -~~	() https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7 -

07 Apr 2025, 14:17

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad en qinguoyi TinyWebServer hasta la versión 1.0, clasificada como crítica. Esta vulnerabilidad afecta al código desconocido del archivo http/http_conn.cpp. La manipulación del argumento m_url_real provoca una autenticación incorrecta. El ataque puede iniciarse remotamente. Se ha hecho público el exploit y puede que sea utilizado.

04 Apr 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-04 21:15

Updated : 2025-04-23 13:11

NVD link : CVE-2025-3268

Mitre link : CVE-2025-3268

CVE.ORG link : CVE-2025-3268

JSON object : View

Products Affected

qinguoyi

tinywebserver

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

{"id": "CVE-2025-3268", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-04T21:15:51.557", "references": [{"url": "https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7", "tags": ["Broken Link"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.303340", "tags": ["Permissions Required", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.303340", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.549229", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://magnificent-dill-351.notion.site/Improper-Authentication-in-TinyWebServer-1-0-1c9c693918ed80cfa0f5db1a1d03c5e7", "tags": ["Broken Link"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in qinguoyi TinyWebServer up to 1.0 and classified as critical. This vulnerability affects unknown code of the file http/http_conn.cpp. The manipulation of the argument m_url_real leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad en qinguoyi TinyWebServer hasta la versi\u00f3n 1.0, clasificada como cr\u00edtica. Esta vulnerabilidad afecta al c\u00f3digo desconocido del archivo http/http_conn.cpp. La manipulaci\u00f3n del argumento m_url_real provoca una autenticaci\u00f3n incorrecta. El ataque puede iniciarse remotamente. Se ha hecho p\u00fablico el exploit y puede que sea utilizado."}], "lastModified": "2025-04-23T13:11:34.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qinguoyi:tinywebserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "159604E0-C0B2-493B-9C3B-0C2A1EBDBE85", "versionEndIncluding": "1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cna@vuldb.com"}

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2025-3268

5.3^/10

5.0^/10

Attach tags to `CVE-2025-3268`