{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-13787","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-11-29T20:21:18.012Z","datePublished":"2025-11-30T10:32:08.651Z","dateUpdated":"2025-12-01T15:03:55.578Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-11-30T10:32:08.651Z"},"title":"ZenTao File control.php delete privileges management","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-269","lang":"en","description":"Improper Privilege Management"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-266","lang":"en","description":"Incorrect Privilege Assignment"}]}],"affected":[{"vendor":"n/a","product":"ZenTao","versions":[{"version":"21.7.6-8564","status":"affected"},{"version":"21.7.7","status":"unaffected"}],"modules":["File Handler"]}],"descriptions":[{"lang":"en","value":"A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":5.4,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":5.4,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":5.5,"vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C"}}],"timeline":[{"time":"2025-11-29T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-11-29T01:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-11-29T21:26:34.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"ez-lbz (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.333791","name":"VDB-333791 | ZenTao File control.php delete privileges management","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.333791","name":"VDB-333791 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.689892","name":"Submit #689892 | Zentao PMS <=21.7.6-85642 Privilege Escalation","tags":["third-party-advisory"]},{"url":"https://github.com/ez-lbz/ez-lbz.github.io/issues/1","tags":["issue-tracking"]},{"url":"https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868","tags":["issue-tracking"]},{"url":"https://www.zentao.net/extension-buyext-1601-download.html","tags":["patch"]}]},"adp":[{"references":[{"url":"https://github.com/ez-lbz/ez-lbz.github.io/issues/1","tags":["exploit"]},{"url":"https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-01T15:03:49.490615Z","id":"CVE-2025-13787","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-01T15:03:55.578Z"}}]}}