Unrestricted Upload Vulnerability in itsourcecode Simple Online Hotel Reservation System
CVE-2024-6115

9.8CRITICAL

Key Information:

Vendor
Itsourcecode
Status
Simple Online Hotel Reservation System
Vendor
CVE Published:
18 June 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant security flaw has been identified in the itsourcecode Simple Online Hotel Reservation System, specifically within the add_room.php functionality. This vulnerability allows attackers to exploit an unrestricted file upload capability, which can be triggered remotely. By manipulating the photo parameter, unauthorized users can upload malicious files to the server, potentially leading to further attacks, including system compromise. The existence of this exploit in the public domain raises serious concerns about the security posture of implementations running version 1.0 of this software. Immediate actions should be taken to address this vulnerability and protect sensitive data.

Affected Version(s)

Simple Online Hotel Reservation System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-6115 - Proof of Concept

References

https://vuldb.com/?id.268867
vdb-entrytechnical-description
https://vuldb.com/?ctiid.268867
signaturepermissions-required
https://vuldb.com/?submit.358996
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

wangyuan-ui (VulDB User)
.