Unrestricted File Upload in veal98 小牛肉 Echo System 4.2
CVE-2025-3566

6.9MEDIUM

Key Information:

Vendor
Veal98 小牛肉
Status
Echo 开源社区系统
Vendor
CVE Published:
14 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A security vulnerability has been identified in the veal98 小牛肉 Echo System version 4.2, affecting the upload functionalities specifically within the uploadMdPic function. This issue allows unauthorized users to upload files without restrictions by manipulating the editormd-image-file parameter. The vulnerability is exploitable remotely, posing a significant risk to file security within the system. Public disclosure of the exploit amplifies the urgency to apply necessary mitigations.

Affected Version(s)

Echo 开源社区系统 4.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-3566 - Proof of Concept

References

https://vuldb.com/?id.304607
vdb-entrytechnical-description
https://vuldb.com/?ctiid.304607
signaturepermissions-required
https://vuldb.com/?submit.549509
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Caigo (VulDB User)
.