CVE-2025-67325

QloApps · QloApps

The hotel review feature in QloApps contains an unrestricted file upload vulnerability allowing remote unauthenticated attackers to achieve remote code execution.

Executive summary

QloApps is affected by a critical file upload vulnerability in its hotel review feature that enables remote unauthenticated attackers to execute arbitrary code.

Vulnerability

The hotel review feature lacks sufficient validation of uploaded files, allowing an unauthenticated attacker to bypass security controls and upload malicious payloads to the server.

Business impact

Successful exploitation allows an attacker to gain full remote code execution capabilities on the host server. This poses a catastrophic risk to data confidentiality and integrity, with a CVSS score of 9.8 reflecting the extreme severity and ease of exploitation.

Remediation

Immediate Action: Update QloApps to the latest version to address the file upload validation flaw.

Proactive Monitoring: Review server access logs for anomalous file upload activity and monitor for unexpected changes to the web directory structure.

Compensating Controls: Configure the web server to disable script execution in upload directories and deploy a WAF to filter malicious file types.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this remote code execution vulnerability, users must treat this as a top-priority security update. Immediate remediation is required to protect the application environment from unauthorized access and potential compromise.