Overview
A medium-severity security vulnerability, identified as CVE-2025-13185, has been discovered in Bdtask/CodeCanyon’s News365, affecting versions up to 7.0.3. This flaw allows for unrestricted file uploads via the /admin/dashboard/profile endpoint. Specifically, manipulation of the profile_image and banner_image arguments can be exploited to upload arbitrary files, potentially leading to remote code execution and system compromise. This vulnerability is actively being exploited in the wild.
Technical Details
The vulnerability lies in the insufficient validation of file types and sizes during the upload process within the /admin/dashboard/profile functionality. An attacker can bypass expected restrictions and upload malicious files, such as PHP scripts, that can then be executed on the server. The lack of proper input sanitization and file extension checks makes this possible. The affected parameters are profile_image and banner_image. The vendor was notified but did not respond.
CVSS Analysis
- CVE ID: CVE-2025-13185
- Severity: MEDIUM
- CVSS Score: 4.7
- CVSS Vector: (Base Score provides only severity – specific vector calculation would require further context)
While the CVSS score is 4.7 (Medium), the real-world impact could be significantly higher depending on server configuration and permissions. The exploit’s public availability increases the likelihood of exploitation.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Remote Code Execution (RCE): An attacker could execute arbitrary code on the server, potentially gaining full control.
- Website Defacement: Attackers could modify the website’s content, causing reputational damage.
- Data Breach: Sensitive data stored on the server could be accessed and stolen.
- Malware Distribution: The compromised server could be used to distribute malware to website visitors.
Mitigation and Patch Steps
Unfortunately, as the vendor has not responded and there is no official patch available, the following mitigation steps are recommended:
- Restrict File Uploads: Implement strict file type validation on the server-side to only allow specific image formats (e.g., JPG, PNG, GIF) and reject any other file types. Use a whitelist approach, rather than a blacklist.
- Sanitize Filenames: Sanitize uploaded filenames to remove any potentially harmful characters or extensions.
- Implement File Size Limits: Enforce strict file size limits for uploaded images to prevent excessively large files from being uploaded.
- Store Uploads Outside the Web Root: Store uploaded files outside of the web root directory to prevent direct access via HTTP.
- Regular Security Audits: Conduct regular security audits of the News365 installation and server environment to identify and address potential vulnerabilities.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block malicious file upload attempts.
- Consider Alternatives: If possible, consider migrating to a more actively maintained news platform with a better security track record.
Important Note: These mitigations are workarounds and may not completely eliminate the risk. A proper patch from the vendor is the ideal solution.
