CVE-2025-52921

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-52921
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52921.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52921
Published
2025-06-23T12:15:22.970Z
Modified
2026-04-10T05:30:45.601114Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
Summary
[none]
Details

In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server.

References

Affected packages

Git / github.com/innocommerce/innoshop

Affected ranges

Type
GIT
Repo
https://github.com/innocommerce/innoshop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
6e1c6cc37950d2c00b0e3c948b5cd332e8db933d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.1"
        }
    ]
}

Affected versions

v0.*
v0.1.1
v0.2.0
v0.2.1
v0.2.6
v0.2.8
v0.3.0
v0.3.10
v0.3.2
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52921.json"