PT-2025-22316 · Part-Db · Part-Db
B1D0Ws
·
Published
2025-05-20
·
Updated
2025-05-21
·
CVE-2025-5007
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Part-DB versions up to 1.17.0
Description
A vulnerability was found in the Profile Picture Feature of Part-DB, affecting the
handleUpload function of the AttachmentSubmitHandler.php file. The manipulation of the attachment argument leads to cross-site scripting. The attack can be launched remotely.Recommendations
For Part-DB versions up to 1.17.0, upgrade to version 1.17.1 to address this issue. As a temporary workaround, consider restricting the use of the
handleUpload function of the AttachmentSubmitHandler.php file until the upgrade is applied.Exploit
Fix
XSS
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Part-Db