CVE-2025-52921

Name of the Vulnerable Software and Affected Versions: Innoshop versions 0.4.1 and earlier

Description: The issue allows an authenticated attacker to achieve code execution on the server by exploiting the File Manager functions in the admin panel. This is done by uploading a crafted file and then renaming it to have a .php extension using the Rename Function, bypassing the initial check that restricts uploaded files to image files. The application's reliance on frontend checks to restrict file extension changes to .php can be easily bypassed with tools like BurpSuite. Once the file is renamed with a .php extension, a GET request can trigger the execution of code on the server.

Recommendations: For Innoshop versions 0.4.1 and earlier, consider disabling the Rename Function in the File Manager until a patch is available to prevent attackers from renaming uploaded files to have a .php extension. Restrict access to the File Manager in the admin panel to minimize the risk of exploitation. Avoid using the File Manager to upload files that could potentially be renamed to executable extensions.