SourceCodester Employee Management System Profile Page edit-photo.php unrestricted upload
CVE-2024-1008

7.2HIGH

Key Information:

Vendor
SourceCodester
Status
Employee Management System
Vendor
CVE Published:
29 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

In the SourceCodester Employee Management System version 1.0, a vulnerability exists within the edit-photo.php functionality of the Profile Page component. This flaw permits an unauthorized user to upload files without restrictions, leading to significant security risks. The vulnerability is exploitable remotely, allowing attackers to potentially execute malicious code or perform unauthorized actions on the web server. Due to public disclosure, the urgency for organizations using this software to implement protective measures against potential attacks is heightened. Regular monitoring and timely updates are essential to safeguard sensitive data and maintain system integrity.

Affected Version(s)

Employee Management System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1008 - Proof of Concept

References

https://vuldb.com/?id.252277
vdb-entry
https://vuldb.com/?ctiid.252277
signaturepermissions-required
https://www.youtube.com/watch?v=z4gcLZCOcnc
exploitmedia-coverage

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

matheuzsec (VulDB User)
.