CVE-2025-52207

PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/mikopbx/Core/commit/3ee785429d3f1b33c9ab387ef4221127c9b8c5f3
https://www.mikopbx.com/

Configurations

No configuration.

History

30 Jun 2025, 18:38

Type	Values Removed	Values Added
Summary		(es) PBXCoreREST/Controllers/Files/PostController.php en MikoPBX hasta 2024.1.114 permite cargar un script PHP en un directorio arbitrario.

27 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-27 17:15

Updated : 2025-06-30 18:38

NVD link : CVE-2025-52207

Mitre link : CVE-2025-52207

CVE.ORG link : CVE-2025-52207

JSON object : View

Products Affected

No product.

CWE

CWE-23

Relative Path Traversal

9.9 /10