| Titel | BEST EMPLOYEE MANAGEMENT SYSTEMS 1 Remote Code Execution |
|---|
| Beschreibung | During the security assessment of "Best Employee Management System", I identified a critical arbitrary file upload vulnerability in the "admin\Operation\User.php" file. This issue arises from the lack of validation on the `$_FILES["website_image"]` input, allowing files to be uploaded without verifying their type or extension. This weakness enables attackers to upload malicious files, such as PHP web shells, which can be executed on the server. Exploitation of this vulnerability can result in remote code execution (RCE), unauthorized access to sensitive data, modification or deletion of application data, and full compromise of the affected system. Immediate remediation is required to enforce strict file type validation and secure file handling to protect system integrity and confidentiality. |
|---|
| Quelle | ⚠️ https://github.com/wanidnone-ops/CVE/issues/1 |
|---|
| Benutzer | fudugeek (UID 91138) |
|---|
| Einreichung | 09.10.2025 12:52 (vor 8 Monaten) |
|---|
| Moderieren | 10.10.2025 14:57 (1 day later) |
|---|
| Status | Duplikat |
|---|
| VulDB Eintrag | 284530 [SourceCodester Best Employee Management System 1.0 /admin/profile.php website_image erweiterte Rechte] |
|---|
| Punkte | 0 |
|---|