Search criteria
1 vulnerability by merikbest
CVE-2025-4868 (GCVE-0-2025-4868)
Vulnerability from cvelistv5 – Published: 2025-05-18 09:00 – Updated: 2025-05-19 15:22
VLAI?
Title
merikbest ecommerce-spring-reactjs File Upload Endpoint admin path traversal
Summary
A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| merikbest | ecommerce-spring-reactjs |
Affected:
464e610bb11cc2619cf6ce8212ccc2d1fd4277fd
|
Credits
ShenxiuSecurity (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4868",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:53:43.395557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:22:53.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Upload Endpoint"
],
"product": "ecommerce-spring-reactjs",
"vendor": "merikbest",
"versions": [
{
"status": "affected",
"version": "464e610bb11cc2619cf6ce8212ccc2d1fd4277fd"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ShenxiuSecurity (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in merikbest ecommerce-spring-reactjs up to 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v1/admin/ of the component File Upload Endpoint. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in merikbest ecommerce-spring-reactjs bis 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd ausgemacht. Davon betroffen ist unbekannter Code der Datei /api/v1/admin/ der Komponente File Upload Endpoint. Mit der Manipulation des Arguments filename mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt verzichtet auf eine Versionierung und verwendet stattdessen Rolling Releases. Deshalb sind keine Details zu betroffenen oder zu aktualisierende Versionen vorhanden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-18T09:00:06.147Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-309410 | merikbest ecommerce-spring-reactjs File Upload Endpoint admin path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.309410"
},
{
"name": "VDB-309410 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.309410"
},
{
"name": "Submit #575506 | merikbest ecommerce-spring-reactjs master branch Path Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.575506"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250512-01.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-16T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-16T21:23:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "merikbest ecommerce-spring-reactjs File Upload Endpoint admin path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4868",
"datePublished": "2025-05-18T09:00:06.147Z",
"dateReserved": "2025-05-16T19:18:09.045Z",
"dateUpdated": "2025-05-19T15:22:53.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}