CVE-2025-7895 | THREATINT

Description

A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely.

Es wurde eine Schwachstelle in harry0703 MoneyPrinterTurbo bis 1.2.6 gefunden. Sie wurde als kritisch eingestuft. Es betrifft die Funktion upload_bgm_file der Datei app/controllers/v1/video.py der Komponente File Extension Handler. Dank Manipulation des Arguments File mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen.

Reserved 2025-07-19 | Published 2025-07-20 | Updated 2025-07-20 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR

Problem types

Unrestricted Upload

Improper Access Controls

Product status

1.2.0

affected

1.2.1

affected

1.2.2

affected

1.2.3

affected

1.2.4

affected

1.2.5

affected

1.2.6

affected

Timeline

2025-07-19:	Advisory disclosed
2025-07-19:	VulDB entry created
2025-07-19:	VulDB entry last update

Credits

zhangjx (VulDB User) reporter

References

vuldb.com/?id.317010 (VDB-317010 | harry0703 MoneyPrinterTurbo File Extension video.py upload_bgm_file unrestricted upload) vdb-entry technical-description

vuldb.com/?ctiid.317010 (VDB-317010 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.608940 (Submit #608940 | Harry Yu MoneyPrinterTurbo v1.2.6 Incomplete Identification of Uploaded File Variables) third-party-advisory

cve.org (CVE-2025-7895)

nvd.nist.gov (CVE-2025-7895)

Download JSON