CVE-2024-5047 in Student Management System
Summary
by MITRE • 05/17/2024
A vulnerability classified as critical has been found in SourceCodester Student Management System 1.0. Affected is an unknown function of the file /student/controller.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264744.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/10/2025
The vulnerability identified as CVE-2024-5047 represents a critical security flaw in the SourceCodester Student Management System version 1.0, specifically within the /student/controller.php file. This issue manifests as an unrestricted file upload vulnerability that occurs when processing the photo argument, creating a significant attack surface for malicious actors. The vulnerability's classification as critical indicates its potential for severe impact on system integrity and data security, particularly given that the exploit has been publicly disclosed and is actively available for use.
The technical implementation of this flaw involves improper input validation and sanitization within the photo argument processing functionality. When users attempt to upload profile photos through the system's controller, the application fails to adequately verify file types, extensions, or content, allowing attackers to upload malicious files such as web shells, malware, or other harmful executables. This lack of proper validation creates an environment where arbitrary code execution becomes possible, as the system treats uploaded files as legitimate content without sufficient security checks. The vulnerability's remote exploitability means attackers can leverage this flaw from outside the network perimeter, eliminating the need for local access or privileged credentials.
The operational impact of CVE-2024-5047 extends beyond simple unauthorized file uploads, potentially enabling full system compromise through remote code execution. Attackers can use this vulnerability to establish persistent backdoors, exfiltrate sensitive student data, disrupt system operations, or use the compromised system as a launching point for further attacks within the network. Given that this is a student management system, the data at risk includes personal information, academic records, and potentially sensitive communications between students and administrators. The public disclosure of the exploit significantly increases the likelihood of exploitation, as threat actors can immediately implement the attack without requiring additional reconnaissance or development time.
Security mitigations for this vulnerability should focus on implementing robust input validation and file type restriction mechanisms. Organizations must enforce strict file extension checks, content type verification, and mandatory file format validation before accepting any uploads. The system should employ proper file naming conventions, store uploaded files outside the web root directory, and implement appropriate access controls to prevent direct execution of uploaded content. Additionally, implementing web application firewalls, regular security code reviews, and comprehensive penetration testing can help identify and remediate similar vulnerabilities. This issue aligns with CWE-434, which specifically addresses unrestricted upload of file with dangerous type, and represents a clear violation of ATT&CK technique T1190 for exploitation through untrusted uploads. Organizations should prioritize immediate patching or implementation of compensating controls to prevent exploitation of this critical vulnerability.