CVE-2025-34100

An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution.

CVSS

No CVSS.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/builderengine_upload_exec.rb
https://support.alertlogic.com/hc/en-us/articles/115004703183-BuilderEngine-Content-Management-System-CMS-elFinder-2-0-Arbitrary-File-Upload
https://vulncheck.com/advisories/builder-engine-unauthenticated-arbitrary-file-upload
https://www.exploit-db.com/exploits/40390

Configurations

No configuration.

History

15 Jul 2025, 13:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 20:15

Updated : 2025-07-15 13:14

NVD link : CVE-2025-34100

Mitre link : CVE-2025-34100

CVE.ORG link : CVE-2025-34100

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-306

Missing Authentication for Critical Function

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-34100", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "disclosure@vulncheck.com"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-10T20:15:25.710", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/builderengine_upload_exec.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://support.alertlogic.com/hc/en-us/articles/115004703183-BuilderEngine-Content-Management-System-CMS-elFinder-2-0-Arbitrary-File-Upload", "source": "disclosure@vulncheck.com"}, {"url": "https://vulncheck.com/advisories/builder-engine-unauthenticated-arbitrary-file-upload", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/40390", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine\u2019s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution."}, {"lang": "es", "value": "Existe una vulnerabilidad de carga de archivos sin restricciones en BuilderEngine 3.5.0 debido a la integraci\u00f3n del gestor de archivos elFinder 2.0 y su uso del complemento jQuery File Upload. El complemento no valida ni restringe correctamente los tipos o ubicaciones de los archivos durante las operaciones de carga, lo que permite a un atacante cargar un archivo .php malicioso y, posteriormente, ejecutar c\u00f3digo PHP arbitrario en el servidor, en el contexto del proceso del servidor web. Si bien la vulnerabilidad principal reside en el componente jQuery File Upload, la integraci\u00f3n incorrecta de BuilderEngine y la falta de controles de acceso exponen esta funcionalidad a usuarios no autenticados, lo que resulta en la ejecuci\u00f3n remota completa de c\u00f3digo."}], "lastModified": "2025-07-15T13:14:49.980", "sourceIdentifier": "disclosure@vulncheck.com"}