Cyber Posture

CVE-2025-1590

Medium

Published: 23 February 2025

Published
23 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0005 15.7th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1590 is a medium-severity Improper Access Control (CWE-284) vulnerability in Janobe E-Learning System. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates unrestricted file uploads by validating and sanitizing uploaded files to ensure only safe types and content are processed.

AC-3 Access Enforcement good match
prevent

Enforces access control policies to prevent improper access leading to unrestricted file uploads even by high-privilege administrators.

AC-6 Least Privilege partial match
prevent

Applies least privilege to limit administrative capabilities, preventing unrestricted file upload functions from being available to users.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unrestricted file upload in web app admin component directly enables ingress of tools/payloads and deployment of web shells for execution/persistence.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. The manipulation leads to unrestricted upload. It is possible…

more

to launch the attack remotely.

Deeper analysisAI

CVE-2025-1590 is a critical vulnerability in SourceCodester E-Learning System 1.0, affecting an unknown function within the file /admin/modules/lesson/index.php of the List of Lessons Page component. The flaw enables unrestricted file upload, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-23.

The vulnerability is remotely exploitable over the network with low complexity and no user interaction required, but demands high privileges (PR:H), such as administrative access. An attacker with these privileges can manipulate the affected endpoint to perform unrestricted uploads, potentially resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories and further details are available via VulDB references at https://vuldb.com/?ctiid.296574, https://vuldb.com/?id.296574, and https://vuldb.com/?submit.504045, along with the vendor site at https://www.sourcecodester.com/. No specific patch or mitigation guidance is detailed in the available information.

Details

CWE(s)
CWE-284CWE-434

Affected Products

janobe
e-learning system
1.0

CVEs Like This One

CVE-2025-1166Shared CWE-284, CWE-434
CVE-2026-4221Shared CWE-284, CWE-434
CVE-2025-1555Shared CWE-284, CWE-434
CVE-2025-1818Shared CWE-284, CWE-434
CVE-2026-2977Shared CWE-284, CWE-434
CVE-2025-0722Shared CWE-284, CWE-434
CVE-2025-2350Shared CWE-284, CWE-434
CVE-2026-1424Shared CWE-284, CWE-434
CVE-2025-2115Shared CWE-284, CWE-434
CVE-2026-3025Shared CWE-284, CWE-434

References