CVE-2025-5425: juzaweb CMS Theme Editor Page default access control
Description
A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as critical. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor Page. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine kritische Schwachstelle in juzaweb CMS bis 3.4.2 ausgemacht. Dabei betrifft es einen unbekannter Codeteil der Datei /admin-cp/theme/editor/default der Komponente Theme Editor Page. Durch Manipulieren mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-5425
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Products
Vendor: juzaweb
Product: CMS
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 10.45% (scored less or equal to compared to others)
EPSS Date: 2025-06-08 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5425https://vuldb.com/?id.310758
https://vuldb.com/?ctiid.310758
https://vuldb.com/?submit.584053
https://github.com/Cyber-Wo0dy/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_access_theme_editing.md