3.7

CVE-2025-15244

Exploit

PHPEMS Purchase Request race condition

A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpemsPhpems Version <= 11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.35% 0.266
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@vuldb.com 2.9 0 0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
cna@vuldb.com 2.6 4.9 2.9
AV:N/AC:H/Au:N/C:N/I:P/A:N
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://vuldb.com/?id.338634
Third Party Advisory
VDB Entry
https://vuldb.com/?ctiid.338634
VDB Entry
Permissions Required
https://vuldb.com/?submit.725727
Third Party Advisory
VDB Entry
https://byebydoggy.github.io/post/2025/1229-phpems-points-race-condition-poc/
Third Party Advisory
Exploit
Mitigation