Arbitrary File Upload Vulnerability in SourceCodester Client Database Management System
CVE-2025-46191

9.8CRITICAL

Key Information:

Vendor: SourceCodester
Status: Client Database Management System
Vendor: CVE Published:; 9 May 2025

What is CVE-2025-46191?

The vulnerability arises in user_payment_update.php of SourceCodester's Client Database Management System 1.0, enabling attackers to upload arbitrary files due to insufficient validation checks for file extensions and MIME types. This weakness allows unauthenticated users to exploit the uploaded_file_cancelled field, potentially leading to the upload of malicious PHP scripts into accessible directories. If successful, this can result in the execution of remote commands by attackers, thereby compromising the system's integrity.

References

https://portswigger.net/web-security/file-upload

https://github.com/x6vrn/mitre/blob/main/CVE-2025-46191.md

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2025
Vulnerability Reserved
Apr 22, 2025