| Titre | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload |
|---|
| Description | The application does not properly validate uploaded files. In functions.php, the file upload logic only checks file size, without validating file extension, MIME type, content, or applying server-side filtering.
Because file names and file content are both not validated, an attacker can upload:
.php webshell
files containing injected HTML/JS (Stored XSS)
overwrite existing files if there is no randomness
This leads to remote code execution (RCE) on the server. |
|---|
| La source | ⚠️ https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md |
|---|
| Utilisateur | Yohane-Mashiro (UID 92825) |
|---|
| Soumission | 20/11/2025 16:59 (il y a 5 mois) |
|---|
| Modérer | 23/11/2025 08:48 (3 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 333338 [code-projects Online Bidding System 1.0 addcategory.php categoryadd catimage élévation de privilèges] |
|---|
| Points | 20 |
|---|