CVE-2025-63227
Severity CVSS v4.0:
Pending analysis
Type:
CWE-434
Unrestricted Upload of File with Dangerous Type
Publication date:
18/11/2025
Last modified:
08/12/2025
Description
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), which are stored in the /patch/ directory. This allows the attacker to execute arbitrary commands on the server, potentially leading to full system compromise.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page