| عنوان | code-projects Vehicle Management System In PHP With Source Code 1.0` Incomplete Identification of Uploaded File Variables |
|---|
| الوصف | The application exposes an admin-only "New Driver" registration form at newdriver.php that includes a photo upload field. However, the endpoint performs no session validation — any unauthenticated attacker can directly access it without being redirected to login. Furthermore, the photo upload field accepts any file type including PHP files, with no extension filtering, MIME type validation, or content inspection.
the attacker can get remote code execution |
|---|
| المصدر | ⚠️ https://github.com/Xmyronn/Vehicle-Management-System-In-PHP---Unauthenticated-Remote-Code-Execution.git |
|---|
| المستخدم | imad alvi (UID 97088) |
|---|
| ارسال | 19/05/2026 02:43 PM (19 أيام منذ) |
|---|
| الاعتدال | 05/06/2026 10:22 AM (17 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 368884 [code-projects Vehicle Management System 1.0 New Driver Registration Form newdriver.php photo تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|