| Título | code-projects Vehicle Management System In PHP With Source Code 1.0` Incomplete Identification of Uploaded File Variables |
|---|
| Descrição | The application exposes an admin-only "New Driver" registration form at newdriver.php that includes a photo upload field. However, the endpoint performs no session validation — any unauthenticated attacker can directly access it without being redirected to login. Furthermore, the photo upload field accepts any file type including PHP files, with no extension filtering, MIME type validation, or content inspection.
the attacker can get remote code execution |
|---|
| Fonte | ⚠️ https://github.com/Xmyronn/Vehicle-Management-System-In-PHP---Unauthenticated-Remote-Code-Execution.git |
|---|
| Utilizador | imad alvi (UID 97088) |
|---|
| Submissão | 19/05/2026 14h43 (há 18 dias) |
|---|
| Moderação | 05/06/2026 10h22 (17 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 368884 [code-projects Vehicle Management System 1.0 New Driver Registration Form newdriver.php photo Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|