CVE-2025-7895

A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://vuldb.com/?ctiid.317010	Permissions Required VDB Entry
https://vuldb.com/?id.317010	Third Party Advisory VDB Entry
https://vuldb.com/?submit.608940	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:harry0703:moneyprinterturbo:*:*:*:*:*:*:*:*

History

20 Nov 2025, 21:25

Type	Values Removed	Values Added
First Time		Harry0703 Harry0703 moneyprinterturbo
References	~~() https://vuldb.com/?ctiid.317010 -~~	() https://vuldb.com/?ctiid.317010 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.317010 -~~	() https://vuldb.com/?id.317010 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.608940 -~~	() https://vuldb.com/?submit.608940 - Third Party Advisory, VDB Entry
CPE		cpe:2.3:a:harry0703:moneyprinterturbo::::::::

Information

Published : 2025-07-20 15:15

Updated : 2025-11-20 21:25

NVD link : CVE-2025-7895

Mitre link : CVE-2025-7895

CVE.ORG link : CVE-2025-7895

JSON object : View

Products Affected

harry0703

moneyprinterturbo

CWE

CWE-284

Improper Access Control

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-7895", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-20T15:15:24.670", "references": [{"url": "https://vuldb.com/?ctiid.317010", "tags": ["Permissions Required", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?id.317010", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.608940", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad clasificada como cr\u00edtica en harry0703 MoneyPrinterTurbo hasta la versi\u00f3n 1.2.6. La funci\u00f3n upload_bgm_file del archivo app/controllers/v1/video.py del componente File Extension Handler se ve afectada. La manipulaci\u00f3n del argumento File permite una carga sin restricciones. El ataque puede ejecutarse en remoto."}], "lastModified": "2025-11-20T21:25:14.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:harry0703:moneyprinterturbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "996FCD58-2276-45A5-A7DA-B7E3BB897B4E", "versionEndIncluding": "1.2.6"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}