CVE-2025-5380
Description
A vulnerability, which was classified as critical, has been found in ashinigit 天青一白 XueShengZhuSu 学生住宿管理系统 up to 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb. This issue affects some unknown processing of the file /upload/ of the component Image File Upload. The manipulation of the argument File leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in the image file upload of XueShengZhuSu student dormitory management system allows remote attackers to write arbitrary files.
Vulnerability
Overview
The vulnerability resides in the /upload/ endpoint of the XueShengZhuSu (学生住宿管理系统) student dormitory management system, specifically in the image file upload functionality. The manipulation of the File argument leads to a path traversal condition, enabling an attacker to specify arbitrary file paths for the uploaded content. This issue affects versions up to commit 4d3f0ada0e71482c1e51fd5f5615e5a3d8bcbfbb of the rolling-release project [1].
Exploitation
The attack can be initiated remotely without authentication, as the upload endpoint is publicly accessible. By crafting a malicious request with a path traversal sequence (e.g., ../) in the filename parameter, an attacker can write files to directories outside the intended upload folder. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].
Impact
Successful exploitation allows an attacker to upload arbitrary files, including web shells, to the server's document root or other writable locations. This can lead to remote code execution, data exfiltration, or complete compromise of the application server. The CVSS v3 base score of 6.3 (Medium) reflects the potential for significant impact, though the attack complexity is low [1].
Mitigation
As the project uses a rolling release model, no specific patched version is available. Users are advised to restrict access to the /upload/ endpoint, implement strict file type and path validation, and monitor for unauthorized file uploads. The vendor has not released an official fix as of the publication date [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.