{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-1947","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-03-04T13:50:23.488Z","datePublished":"2025-03-04T18:31:06.067Z","dateUpdated":"2025-03-04T18:47:26.009Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-03-04T18:31:06.067Z"},"title":"hzmanyun Education and Training System UploadImageController.java scorm command injection","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"Command Injection"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-74","lang":"en","description":"Injection"}]}],"affected":[{"vendor":"hzmanyun","product":"Education and Training System","versions":[{"version":"2.1.3","status":"affected"}]}],"descriptions":[{"lang":"en","value":"A vulnerability classified as critical has been found in hzmanyun Education and Training System 2.1.3. This affects the function scorm of the file UploadImageController.java. The manipulation of the argument param leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"Es wurde eine Schwachstelle in hzmanyun Education and Training System 2.1.3 entdeckt. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion scorm der Datei UploadImageController.java. Durch die Manipulation des Arguments param mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}}],"timeline":[{"time":"2025-03-04T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-03-04T01:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-03-04T14:55:30.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"heihei_XZ (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.298521","name":"VDB-298521 | hzmanyun Education and Training System UploadImageController.java scorm command injection","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.298521","name":"VDB-298521 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.506659","name":"Submit #506659 | hzmanyun.com education and training system v2.1.3 RCE","tags":["third-party-advisory"]},{"url":"https://github.com/heiheixz/report/blob/main/nxb_2.md","tags":["exploit"]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-03-04T18:47:12.918319Z","id":"CVE-2025-1947","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-04T18:47:26.009Z"}}]}}