CVE-2025-5178: Realce Tecnologia Queue Ticket Kiosk Image File ajax.php unrestricted upload
Description
A vulnerability classified as critical has been found in Realce Tecnologia Queue Ticket Kiosk up to 20250517. Affected is an unknown function of the file /adm/ajax.php of the component Image File Handler. The manipulation of the argument files[] leads to unrestricted upload. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine kritische Schwachstelle in Realce Tecnologia Queue Ticket Kiosk bis 20250517 entdeckt. Hiervon betroffen ist ein unbekannter Codeblock der Datei /adm/ajax.php der Komponente Image File Handler. Dank der Manipulation des Arguments files[] mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden.
Classification
CVE ID: CVE-2025-5178
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Products
Vendor: Realce Tecnologia
Product: Queue Ticket Kiosk
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 11.91% (scored less or equal to compared to others)
EPSS Date: 2025-06-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5178https://vuldb.com/?id.310266
https://vuldb.com/?ctiid.310266
https://vuldb.com/?submit.579851