FoxCMS Images.php batchCope sql injection_CVE-2025-10251

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was detected in FoxCMS up to 1.24. Affected by this issue is the function batchCope of the file /app/admin/controller/Images.php. The manipulation of the argument ids results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2025-10251

Source VulDB

Published Sep 11, 2025 at 13:02

Modified Sep 11, 2025 at 13:33

Affected Product

Vendor n/a

Product FoxCMS

Version 1.0

Affected Versions n/a FoxCMS 1.0
n/a FoxCMS 1.1
n/a FoxCMS 1.2
n/a FoxCMS 1.3
n/a FoxCMS 1.4
n/a FoxCMS 1.5
n/a FoxCMS 1.6
n/a FoxCMS 1.7
n/a FoxCMS 1.8
n/a FoxCMS 1.9
n/a FoxCMS 1.10
n/a FoxCMS 1.11
n/a FoxCMS 1.12
n/a FoxCMS 1.13
n/a FoxCMS 1.14
n/a FoxCMS 1.15
n/a FoxCMS 1.16
n/a FoxCMS 1.17
n/a FoxCMS 1.18
n/a FoxCMS 1.19
n/a FoxCMS 1.20
n/a FoxCMS 1.21
n/a FoxCMS 1.22
n/a FoxCMS 1.23
n/a FoxCMS 1.24

CWE Classification

CWE-89 CWE-74

References

{
    "lastseen": "",
    "description": "A vulnerability was detected in FoxCMS up to 1.24. Affected by this issue is the function batchCope of the file /app/admin/controller/Images.php. The manipulation of the argument ids results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2025-09-11T13:02:06.501Z",
    "modified": "2025-09-11T13:33:52.704Z",
    "type": "cve",
    "title": "FoxCMS Images.php batchCope sql injection",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.323611\nhttps://vuldb.com/?ctiid.323611\nhttps://vuldb.com/?submit.642476\nhttps://github.com/ueh1013/VULN/issues/3",
    "id": "CVE-2025-10251",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "n/a FoxCMS 1.0\nn/a FoxCMS 1.1\nn/a FoxCMS 1.2\nn/a FoxCMS 1.3\nn/a FoxCMS 1.4\nn/a FoxCMS 1.5\nn/a FoxCMS 1.6\nn/a FoxCMS 1.7\nn/a FoxCMS 1.8\nn/a FoxCMS 1.9\nn/a FoxCMS 1.10\nn/a FoxCMS 1.11\nn/a FoxCMS 1.12\nn/a FoxCMS 1.13\nn/a FoxCMS 1.14\nn/a FoxCMS 1.15\nn/a FoxCMS 1.16\nn/a FoxCMS 1.17\nn/a FoxCMS 1.18\nn/a FoxCMS 1.19\nn/a FoxCMS 1.20\nn/a FoxCMS 1.21\nn/a FoxCMS 1.22\nn/a FoxCMS 1.23\nn/a FoxCMS 1.24",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FoxCMS",
    "version": "1.0",
    "vendor": "n/a",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}