CVE-2025-5007
Vulnerability in Part-DB up to 1.17.0 leads to cross site scripting
Overview
A vulnerability in Part-DB up to version 1.17.0 can lead to cross-site scripting (XSS). The affected function is handleUpload of the Profile Picture Feature component. The issue is caused by manipulation of the argument 'attachment'.
Technical Details
The exploit lies in the 'handleUpload' function of the 'src/Services/Attachments/AttachmentSubmitHandler.php' file of the component Profile Picture Feature. Exploitability is public and an exploit can be triggered remotely. The vulnerability is patched in Part-DB version 1.17.1.
CVSS Metrics
- base score: 5.1
- base severity: MEDIUM
- attack vector: NETWORK
- attack complexity: LOW
- user interaction: PASSIVE
- confidentiality impact: NONE
- integrity Impact: LOW
- availability Impact: NONE
Impact
Attackers can manipulate the argument 'attachment', leading to cross site scripting. The attack may be launched remotely.
Recommendations
Upgrade to Part-DB version 1.17.1 to mitigate this issue as this version includes a patch addressing the vulnerability.
Threat Metrics
- "cvss_score": 5.1
- "severity": "MEDIUM"
- "attack_vector": "NETWORK"
- "attack_complexity": "LOW"