CVE-2025-2952 MEDIUM

CVE-2025-2952: Bluestar Micro Mall api.php unrestricted upload

Vendor Bluestar

Product Micro Mall

Weakness CWE-434 · Unrestricted file upload

Published March 30, 2025

Last update March 31, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.php?mod=upload&type=1. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Key dates

02Disclosure timeline

March 30, 2025 CVE published

March 31, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2952 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/434.html

Related vulnerabilities

04Related CVE

CVE-2024-6311 Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Upload CVE-2025-14849 Advantech WebAccess/SCADA Unrestricted Upload of File with Dangerous Type CVE-2024-40744 Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla < 4.4.8 CVE-2026-1152 technical-laohu mpay QR Code Image unrestricted upload CVE-2025-4403 Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function