Unrestricted File Upload Vulnerability in SourceCodester Prison Management System
CVE-2024-3437

7.3HIGH

Key Information:

Vendor
Sourcecodester
Status
Prison Management System
Vendor
CVE Published:
8 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A critical security issue has been identified within the SourceCodester Prison Management System, particularly in version 1.0. The vulnerability pertains to the /Admin/add-admin.php component of the Avatar Handler, where improper handling of the avatar argument allows for unrestricted file uploads. This presents a significant risk as it enables remote attackers to exploit this flaw, potentially leading to the execution of malicious files on the server. As details of this vulnerability are publicly disclosed, it is essential for users and administrators to take immediate precautions to mitigate the risks associated with this exploit.

Affected Version(s)

Prison Management System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3437 - Proof of Concept

References

https://vuldb.com/?id.259631
vdb-entrytechnical-description
https://vuldb.com/?ctiid.259631
signaturepermissions-required
https://vuldb.com/?submit.311920
third-party-advisory

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

Credit

LI YU (VulDB User)
.