PT-2025-48430 · Unknown · Mogu Blog V2

Sh7Err05

Published

2025-12-01

Updated

2025-12-03

CVE-2025-13816

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions moxi159753 Mogu Blog v2 versions up to 5.2

Description A security issue exists in moxi159753 Mogu Blog v2. The FileOperation.unzip function within the ZIP File Handler component, located in the /networkDisk/unzipFile file, is susceptible to path traversal due to manipulation of the fileUrl argument. This allows for remote attacks. The exploit for this issue has been publicly disclosed. The vendor was informed of this disclosure but did not provide a response.

Recommendations Versions up to 5.2: Address the path traversal issue in the FileOperation.unzip function by validating the fileUrl argument to prevent manipulation. As a temporary workaround, restrict access to the /networkDisk/unzipFile file.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2025-13816

Affected Products

Mogu Blog V2

PT-2025-48430 · Unknown · Mogu Blog V2

CVE-2025-13816

Weakness Enumeration

Related Identifiers

Affected Products

References · 12