CVE-2025-10741

Summary

A security vulnerability has been detected in Selleo Mentingo up to 2025.08.27. The affected element is an unknown function of the component Profile Picture Handler. The manipulation of the argument userAvatar leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
SelleoMentingo2025.08.0affected
SelleoMentingo2025.08.1affected
SelleoMentingo2025.08.2affected
SelleoMentingo2025.08.3affected
SelleoMentingo2025.08.4affected
SelleoMentingo2025.08.5affected
SelleoMentingo2025.08.6affected
SelleoMentingo2025.08.7affected
SelleoMentingo2025.08.8affected
SelleoMentingo2025.08.9affected
SelleoMentingo2025.08.10affected
SelleoMentingo2025.08.11affected
SelleoMentingo2025.08.12affected
SelleoMentingo2025.08.13affected
SelleoMentingo2025.08.14affected
SelleoMentingo2025.08.15affected
SelleoMentingo2025.08.16affected
SelleoMentingo2025.08.17affected
SelleoMentingo2025.08.18affected
SelleoMentingo2025.08.19affected
SelleoMentingo2025.08.20affected
SelleoMentingo2025.08.21affected
SelleoMentingo2025.08.22affected
SelleoMentingo2025.08.23affected
SelleoMentingo2025.08.24affected
SelleoMentingo2025.08.25affected
SelleoMentingo2025.08.26affected
SelleoMentingo2025.08.27affected

Weaknesses

  • CWE-434: Unrestricted Upload
  • CWE-284: Improper Access Controls

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References