216.73.217.22

CVE-2014-125126

· Published 31/07/2025 15:15 · Modified 31/07/2025 18:42

Labels: CVE-2014-125126 2025-07-31CVE-2014-125126CWE-306[email protected]

Essential information

Published
31/07/2025 15:15
Modified
31/07/2025 18:42
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=3) with HTTP requests. The application’s upload mechanism fails to restrict file types and does not validate or sanitize user-supplied input, allowing attackers to upload malicious .php scripts. Authentication can be bypassed entirely by supplying a specially crafted cookie (access=3), granting access to the upload functionality without valid credentials. If file uploads are enabled on the server, the attacker can upload a web shell and gain remote code execution with the privileges of the web server user, potentially leading to full system compromise.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
simple / e-document cpe:2.3:a:simple:e-document:3.0-3.1:*:*:*:*:*:*:*

References