CVE-2025-2038
Published: 06 March 2025
Summary
CVE-2025-2038 is a high-severity Exposure of Information Through Directory Listing (CWE-548) vulnerability in Code-Projects Blood Bank Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
CM-6 requires secure configuration settings like disabling directory indexing on web servers, directly preventing exposure via the /upload/ endpoint.
CM-7 mandates least functionality by prohibiting unnecessary features such as directory listings, comprehensively mitigating the /upload/ information disclosure.
SC-14 enforces protections for information accessed through public web interfaces, directly addressing directory listing vulnerabilities on exposed endpoints like /upload/.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory listing vulnerability in /upload/ exposes file and directory contents, directly enabling File and Directory Discovery (T1083) as noted in advisories.
NVD Description
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2038 is a critical vulnerability in code-projects Blood Bank Management System 1.0, affecting unknown processing of the /upload/ file or endpoint. It enables exposure of information through directory listing, mapped to CWE-548 (Files or Directories Accessible to External Parties) and CWE-552 (Files or Directories Accessible to External Parties). The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-06.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and low complexity, requiring no user interaction. Exploitation involves manipulating the /upload/ endpoint to trigger directory listing, resulting in information disclosure with low impacts on confidentiality, integrity, and availability.
Advisories referenced on VulDB (ctiid.298781, id.298781, submit.512558) document the issue, while a GitHub repository (intercpt/XSS1/blob/main/Directorylisting.md) discloses the exploit publicly, noting it may be used by attackers. The project site at code-projects.org provides context on the affected software, but no specific patches or mitigations are detailed in available references.
Details
- CWE(s)