CVE-2025-52921

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-52921

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52921.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-52921

Published

2025-06-23T12:15:22Z

Modified

2025-06-27T11:02:47.578903Z

Summary

[none]

Details

In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server.

References

Affected packages

Git / github.com/innocommerce/innoshop

Affected ranges

Type: GIT
Repo: https://github.com/innocommerce/innoshop
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

6e1c6cc37950d2c00b0e3c948b5cd332e8db933d

Affected versions

v0.*

v0.1.1

v0.2.0

v0.2.1

v0.2.6

v0.2.8

v0.3.0

v0.3.10

v0.3.2

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.1