{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T20:41:22.933","vulnerabilities":[{"cve":{"id":"CVE-2025-52922","sourceIdentifier":"cve@mitre.org","published":"2025-06-23T12:15:23.150","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary directories on the server via the /api/file_manager/directories endpoint, (3) read arbitrary files from the server by copying the file to a readable location within the application via the /api/file_manager/copy_files endpoint, {4) delete arbitrary files from the server via a DELETE request to /api/file_manager/files, or (5) create arbitrary files on the server by uploading them and then leveraging the /api/file_manager/move_files endpoint to move them anywhere in the filesystem."},{"lang":"es","value":"Innoshop, hasta la versión 0.4.1, permite Directory Traversal mediante los endpoints de la API de FileManager. Un atacante autenticado con acceso al panel de administración podría aprovechar esta función para: (1) mapear completamente la estructura del sistema de archivos mediante el endpoint /api/file_manager/files?base_folder=, (2) crear directorios arbitrarios en el servidor mediante el endpoint /api/file_manager/directories, (3) leer archivos arbitrarios del servidor copiándolos a una ubicación legible dentro de la aplicación mediante el endpoint /api/file_manager/copy_files, (4) eliminar archivos arbitrarios del servidor mediante una solicitud DELETE a /api/file_manager/files, o (5) crear archivos arbitrarios en el servidor subiéndolos y luego utilizando el endpoint /api/file_manager/move_files para moverlos a cualquier parte del sistema de archivos."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":3.7}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-23"}]}],"references":[{"url":"https://github.com/innocommerce/innoshop","source":"cve@mitre.org"},{"url":"https://medium.com/@The_Hiker/how-i-found-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f","source":"cve@mitre.org"}]}}]}