CVE-2025-1593
Published: 23 February 2025
Summary
CVE-2025-1593 is a medium-severity Improper Access Control (CWE-284) vulnerability in Mayurik Best Employee Management System. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents unrestricted upload of dangerous files in the Profile Picture Handler by validating file types, sizes, and content at the input interface.
Enforces approved access authorizations to address CWE-284 improper access control in the privileged Profile Picture Handler component.
Scans uploaded files for malicious code at system entry points, mitigating exploitation of unrestricted uploads of dangerous types per CWE-434.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in a web app directly enables web shell deployment (T1505.003) and exploitation of public-facing application (T1190).
NVD Description
A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ of the component Profile Picture Handler. The manipulation leads to unrestricted upload. It is possible to…
more
initiate the attack remotely.
Deeper analysisAI
CVE-2025-1593 is a vulnerability classified as critical in SourceCodester Best Employee Management System 1.0, affecting an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ within the Profile Picture Handler component. It enables unrestricted upload through manipulation, remotely exploitable, with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). The issue maps to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Attackers require high privileges (PR:H) to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation results in low impacts to confidentiality, integrity, and availability, potentially allowing unauthorized file uploads that could lead to further compromise depending on the uploaded content.
Advisories and additional details are available via VulDB at https://vuldb.com/?ctiid.296577, https://vuldb.com/?id.296577, and https://vuldb.com/?submit.505212, along with the vendor site at https://www.sourcecodester.com/.
Details
- CWE(s)