CVE-2025-11078: Job Portal RCE Vulnerability via Upload

CVE-2025-11078 Overview

CVE-2025-11078 is an unrestricted file upload vulnerability in itsourcecode Open Source Job Portal 1.0. The flaw resides in the /admin/user/controller.php?action=photos endpoint, where the photo parameter accepts files without proper validation. An authenticated attacker with low privileges can manipulate the photo argument to upload arbitrary files remotely. The weakness is classified as Improper Access Control [CWE-284]. Public disclosure of exploitation details has been made, increasing the likelihood of opportunistic abuse against exposed installations.

Critical Impact
Remote attackers with low-privilege credentials can upload unrestricted files through the admin photos endpoint, potentially leading to malicious content hosting or further system compromise.

Affected Products

itsourcecode Open Source Job Portal 1.0
Vendor: angeljudesuarez
Affected component: /admin/user/controller.php (action=photos)

Discovery Timeline

2025-09-27 - CVE-2025-11078 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-11078

Vulnerability Analysis

The vulnerability exists in the photo upload handler exposed through /admin/user/controller.php?action=photos. The application accepts file uploads via the photo parameter without enforcing file type, extension, or content restrictions. This unrestricted upload behavior maps to [CWE-284] Improper Access Control, allowing attackers to place arbitrary file content on the server. The attack is network-reachable and requires low privileges, but does not require user interaction. Successful exploitation produces limited impact across confidentiality, integrity, and availability based on the published metrics. The exploit details are publicly available, which lowers the barrier for opportunistic attackers scanning for vulnerable deployments.

Root Cause

The root cause is the absence of server-side validation in the photo upload routine. The handler does not whitelist permitted MIME types, verify file signatures, or restrict executable extensions. Additionally, access control on the administrative endpoint is insufficient to prevent abuse by low-privileged authenticated users.

Attack Vector

An attacker authenticates to the application and issues a crafted HTTP POST request to /admin/user/controller.php?action=photos containing a manipulated photo parameter. Because the upload routine does not sanitize file type or extension, the attacker can store attacker-controlled content within the application's web-accessible directory tree. Refer to the GitHub CVE Issue Tracker and VulDB CVE Analysis #326118 for technical specifics.

Detection Methods for CVE-2025-11078

Indicators of Compromise

Unexpected files appearing within upload directories associated with the Job Portal application, particularly files with executable script extensions such as .php, .phtml, or .phar.
HTTP POST requests targeting /admin/user/controller.php?action=photos with Content-Type: multipart/form-data and non-image payloads.
New or modified files in user photo storage paths with timestamps that do not align with legitimate administrative activity.

Detection Strategies

Inspect web server access logs for POST requests to controller.php?action=photos and correlate uploaded filenames against an allowlist of expected image extensions.
Apply file integrity monitoring to web-accessible upload directories to alert on creation of script-executable files.
Deploy web application firewall (WAF) rules that block uploads where the file signature does not match a permitted image MIME type.

Monitoring Recommendations

Forward HTTP request logs and file system change events to a centralized analytics platform for correlation and retention.
Alert on administrative account activity originating from atypical source IP addresses or outside normal business hours.
Track outbound network connections from the web server process to identify post-upload callbacks consistent with web shell behavior.

How to Mitigate CVE-2025-11078

Immediate Actions Required

Restrict network access to /admin/user/controller.php to trusted administrative IP ranges using firewall or WAF rules.
Audit existing uploaded files within the photo storage directory and remove any non-image content.
Rotate credentials for all administrative accounts and review account provisioning for unexpected low-privilege users.

Patch Information

No vendor advisory or official patch has been published in the referenced sources. Operators should monitor the IT Source Code Resource and VulDB Entry #326118 for remediation updates. Until a vendor fix is available, apply compensating controls and consider taking exposed instances offline.

Workarounds

Modify the upload handler to validate file extensions against an allowlist (.jpg, .jpeg, .png, .gif) and verify magic bytes server-side.
Configure the web server to disable script execution within upload directories, for example by disallowing PHP handlers in the photos storage path.
Enforce least privilege on administrative roles so that only fully trusted accounts can access the photos action.

bash

# Apache configuration to disable script execution in upload directory
<Directory "/var/www/job_portal/admin/user/uploads/photos">
    php_admin_flag engine off
    AddType text/plain .php .phtml .phar .php3 .php4 .php5
    <FilesMatch "\.(php|phtml|phar|php3|php4|php5)$">
        Require all denied
    </FilesMatch>
</Directory>