Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22213

Severity CVSS v4.0:
HIGH
Type:
CWE-434 Unrestricted Upload of File with Dangerous Type
Publication date:
11/03/2025
Last modified:
11/03/2025

Description

Inadequate checks in the Media Manager allowed users with "edit" privileges to change file extension to arbitrary extension, including .php and other potentially executable extensions.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/AU:N CVSS v4.0 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/AU:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): High
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): Low
Integrity (SI): High
Availability (SA): Low
Automatable (AU): No

Base Score 4.0
7.10
Severity 4.0
HIGH

References to Advisories, Solutions, and Tools