CRITICAL🇵🇱 Wersja polska

CVE-2025-65656

CVSS 9.8v3.1pub. 2025-12-02upd. 2025-12-03

dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-98 (PHP Remote File Inclusion) consists of improper file name validation used in the include/require instruction in the VersionManager.php file. An attacker can provide a crafted value pointing to an external or local resource, resulting in the inclusion and execution of untrusted PHP code. Due to the network vector (AV:N) and lack of permission requirements (PR:N) and user interaction (UI:N), the attack can be performed remotely by an unauthenticated attacker.

Impact

An attacker can achieve complete server compromise through remote code execution (RCE), as well as gain access to sensitive data, modify it, or cause application unavailability.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. It is recommended to monitor the project repository (https://github.com/jqhph/dcat-admin) to obtain the updated version and implement the patch immediately. Until the patch is applied, it is recommended to restrict network access to the Dcat Admin panel using a firewall or infrastructure-level authentication mechanisms.

Who is affected

Dcat Admin version 2.2.3-beta and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dcatadmin Dcat Admin

    APP
    Dcatadmin
    ≤ 1.7.92.0.0 – 2.2.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-0709MEDIUM5.1ten sam produkt

A vulnerability was found in Dcat-Admin 2.2.1-beta. It has been rated as problematic. This issue affects some ...

CVE-2024-54774MEDIUM4.8ten sam produkt

Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.

CVE-2024-54775MEDIUM4.8ten sam produkt

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/men...

CVE-2024-29644MEDIUM6.1ten sam produkt

Cross Site Scripting vulnerability in dcat-admin v.2.1.3 and before allows a remote attacker to execute arbitr...

CVE-2023-33736MEDIUM5.4ten sam produkt

A stored cross-site scripting (XSS) vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitr...