CVE-2025-5114

Name of the Vulnerable Software and Affected Versions easysoft zentaopms version 21.5 20250307

Description A critical issue has been discovered that affects the Edit function of the component Committer. The issue is related to the manipulation of the filePath argument in the /index.php?m=editor&f=edit&filePath=cGhhcjovLy9ldGMvcGFzc3dk&action=edit endpoint, leading to deserialization. This can be initiated remotely. The details of this issue have been publicly disclosed, and the vendor was notified but did not respond.

Recommendations For easysoft zentaopms version 21.5 20250307, as a temporary workaround, consider restricting access to the Edit function of the Committer component to minimize the risk of exploitation. Avoid using the filePath argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.