CVE-2025-5498

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-5498
A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md
https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md
https://github.com/slackero/phpwcms/releases/tag/v1.10.9
https://vuldb.com/?ctiid.310913
https://vuldb.com/?id.310913
https://vuldb.com/?submit.578054
https://vuldb.com/?submit.578055
Configurations

No configuration.

History

04 Jun 2025, 14:54

Type Values Removed Values Added
Summary
  • (es) Se encontró una vulnerabilidad en slackero phpwcms hasta la versión 1.9.45/1.10.8. Se ha clasificado como crítica. Este problema afecta a la función file_get_contents/is_file del archivo include/inc_lib/content/cnt21.readform.inc.php del componente Custom Source Tab. La manipulación del argumento cpage_custom provoca la deserialización. El ataque puede ejecutarse en remoto. Se ha hecho público el exploit y puede que sea utilizado. Actualizar a las versiones 1.9.46 y 1.10.9 puede solucionar este problema. Se recomienda actualizar el componente afectado.

03 Jun 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-03 14:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-5498

Mitre link : CVE-2025-5498

CVE.ORG link : CVE-2025-5498

JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation

CWE-502

Deserialization of Untrusted Data