CVE-2025-3855

22.04.2025, 01:15

A vulnerability was found in CodeCanyon RISE Ultimate Project Manager 3.8.2 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php/team_members/save_profile_image/ of the component Profile Picture Handler. The manipulation of the argument profile_image_file leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Resource Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
VulDB	CNA	4.3 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Vendor	Product	Version
fairsketch	rise_ultimate_project_manager	3.8.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/L4zyFox/RISE-Ultimate_Project_Manager_e_CRM

Common Weakness Enumeration

CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

References

https://github.com/L4zyFox/RISE-Ultimate_Project_Manager_e_CRM

https://vuldb.com/?ctiid.305780

https://vuldb.com/?id.305780

https://vuldb.com/?submit.556871