| Title | academico-sis academico OSS Current Unrestricted File Upload to RCE |
|---|
| Description | Github Repo of academico: https://github.com/academico-sis/academico/tree/oss
Tested the OSS branch.
Vulnerability Type: Unrestricted File Upload
Impact: Remote Code Execution
Required Privilege: Student Account (Lowest Priv)
A critical security vulnerability exists in Academico profile picture upload functionality that allows authenticated users with student privileges to upload arbitrary files, leading to remote code execution on the hosting server.
Technical Details
The application's profile picture upload feature (/edit-photo endpoint) implements insufficient file validation controls. While the system attempts to convert uploaded images to JPG format with thumbnail generation, non-image files (PHP, HTML, SVG, etc.) bypass the conversion process and are stored directly in the web-accessible directory structure.
Attack Vector
File Upload Bypass: The application accepts any file type despite attempting image conversion
Direct File System Access: Uploaded files are stored in predictable paths under /storage/[upload_id]/
Web-Accessible Storage: Files are directly accessible via HTTP without application-level access controls
Code Execution: PHP files execute server-side when accessed directly through the web server
The POC and a better explanation is present in the gist. |
|---|
| Source | ⚠️ https://gist.github.com/KhanMarshaI/86d0c1553355bb168084fffbdb6e7fea |
|---|
| User | KhanMarshal (UID 89610) |
|---|
| Submission | 09/03/2025 14:12 (9 months ago) |
|---|
| Moderation | 09/20/2025 09:26 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325118 [academico-sis academico up to d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab Profile Picture /edit-photo unrestricted upload] |
|---|
| Points | 20 |
|---|