CVE-2025-2038
Published: 06 March 2025
Summary
CVE-2025-2038 is a medium-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Code-Projects Blood Bank Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-2038 is a critical vulnerability in code-projects Blood Bank Management System 1.0, affecting unknown processing of the /upload/ file or endpoint. It enables exposure of information through directory listing, mapped to CWE-548 (Files or Directories Accessible to External Parties) and CWE-552 (Files or Directories Accessible to External Parties). The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-06.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and low complexity, requiring no user interaction. Exploitation involves manipulating the /upload/ endpoint to trigger directory listing, resulting in information disclosure with low impacts on confidentiality, integrity, and availability.
Advisories referenced on VulDB (ctiid.298781, id.298781, submit.512558) document the issue, while a GitHub repository (intercpt/XSS1/blob/main/Directorylisting.md) discloses the exploit publicly, noting it may be used by attackers. The project site at code-projects.org provides context on the affected software, but no specific patches or mitigations are detailed in available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7473
Vulnerability details
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory listing vulnerability in /upload/ exposes file and directory contents, directly enabling File and Directory Discovery (T1083) as noted in advisories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
CM-6 requires secure configuration settings like disabling directory indexing on web servers, directly preventing exposure via the /upload/ endpoint.
CM-7 mandates least functionality by prohibiting unnecessary features such as directory listings, comprehensively mitigating the /upload/ information disclosure.
SC-14 enforces protections for information accessed through public web interfaces, directly addressing directory listing vulnerabilities on exposed endpoints like /upload/.