| Title | Bdtask Bdtask Flight Booking Software B2B Portal v4 Unrestricted File Upload |
|---|
| Description | Multiple image upload fields in the Agent profile edit page accept user-supplied files without proper server-side validation. Authenticated users can upload executable files (e.g., PHP web shells) disguised as images. Uploaded files are stored in a web-accessible directory and can be executed by requesting their URL, resulting in remote code execution (RCE) and full server compromise. |
|---|
| Source | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/6 |
|---|
| User | 4m3rr0r (UID 85795) |
|---|
| Submission | 10/31/2025 20:06 (8 months ago) |
|---|
| Moderation | 11/15/2025 07:33 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 332564 [Bdtask Flight Booking Software 4 Edit Profile Page /agent/profile/edit unrestricted upload] |
|---|
| Points | 19 |
|---|