CVE-2025-55194

{"id": "CVE-2025-55194", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2025-08-13T23:15:27.327", "references": [{"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view", "tags": ["Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3."}, {"lang": "es", "value": "Part-DB es un sistema de gesti\u00f3n de inventario de c\u00f3digo abierto para componentes electr\u00f3nicos. Antes de la versi\u00f3n 1.17.3, cualquier usuario autenticado pod\u00eda subir una foto de perfil con una extensi\u00f3n de archivo enga\u00f1osa (p. ej., .jpg.txt), lo que provocaba un error interno del servidor 500 persistente al intentar ver o editar el perfil de dicho usuario. Esto hac\u00eda que el perfil fuera permanentemente inaccesible a trav\u00e9s de la interfaz de usuario, tanto para usuarios como para administradores, lo que constitu\u00eda una denegaci\u00f3n de servicio (DoS) en la interfaz de administraci\u00f3n de usuarios. Este problema se ha corregido en la versi\u00f3n 1.17.3."}], "lastModified": "2025-08-26T19:17:38.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:part-db_project:part-db:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F453A4D0-539A-4D14-B66E-7C9FC4C6B04F", "versionEndExcluding": "1.17.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}