| Title | Cyber-III Student-Management-System 1.0 RCE vulnerability |
|---|
| Description | An unrestricted file upload vulnerability exists in /AssignmentSection/submission/upload.php. The script does not validate the uploaded file’s extension or MIME type before moving it to /ResultSection/Assignment/uploads/ using move_uploaded_file(). An attacker with a valid student session can upload a malicious PHP script and achieve remote code execution. |
|---|
| Source | ⚠️ https://github.com/Cyber-III/Student-Management-System/issues/241 |
|---|
| User | Lier (UID 96711) |
|---|
| Submission | 03/23/2026 08:02 (19 days ago) |
|---|
| Moderation | 04/06/2026 10:14 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355492 [Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f upload.php move_uploaded_file File unrestricted upload] |
|---|
| Points | 19 |
|---|