| Título | code-projects Vehicle Management System In PHP With Source Code 1.0` Incomplete Identification of Uploaded File Variables |
|---|
| Descripción | The application exposes an admin-only "New Driver" registration form at newdriver.php that includes a photo upload field. However, the endpoint performs no session validation — any unauthenticated attacker can directly access it without being redirected to login. Furthermore, the photo upload field accepts any file type including PHP files, with no extension filtering, MIME type validation, or content inspection.
the attacker can get remote code execution |
|---|
| Fuente | ⚠️ https://github.com/Xmyronn/Vehicle-Management-System-In-PHP---Unauthenticated-Remote-Code-Execution.git |
|---|
| Usuario | imad alvi (UID 97088) |
|---|
| Sumisión | 2026-05-19 14:43 (hace 19 días) |
|---|
| Moderación | 2026-06-05 10:22 (17 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 368884 [code-projects Vehicle Management System 1.0 New Driver Registration Form newdriver.php photo escalada de privilegios] |
|---|
| Puntos | 20 |
|---|