PT-2025-42751 · Galaxy Software Services · Vitals Esp Forum Module
Published
2025-10-20
·
Updated
2026-01-30
·
CVE-2025-31342
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Galaxy Software Services Corporation Vitals ESP Forum Module versions through 1.3
Description
An unrestricted upload of file with dangerous type flaw exists in the
upload file function. This allows remote authenticated users to execute arbitrary system commands via a malicious file. The issue enables direct command execution and is considered trivial to weaponize.Recommendations
Versions prior to 1.4 should be updated. As a temporary workaround, restrict file uploads to safe file types. Consider disabling the
upload file function until a patch is available.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vitals Esp Forum Module