| Title | SourceCodester Student Result Management System (SRMS) 1.0 Path Traversal |
|---|
| Description | A vulnerability was found in SourceCodester Student Result Management System 1.0. The file /admin/core/drop_student.php does not properly sanitize the user-supplied 'img' parameter from a GET request before passing it to the unlink() function.
This allows an authenticated attacker to inject path traversal sequences (e.g., ../) to delete arbitrary files outside the intended images/students/ directory.
The vulnerability is particularly critical because it can be exploited via a single crafted GET request without requiring file upload, making exploitation trivial.
This issue represents an additional attack vector compared to previously reported vulnerabilities in the application, which require POST requests and file upload functionality.
Despite similar previously reported issues, this vulnerability introduces a distinct attack vector via a GET request without requiring file upload, significantly reducing exploitation complexity and increasing practical risk. |
|---|
| Source | ⚠️ https://github.com/Xmyronn/cve-srms-drop-student-path-traversal |
|---|
| User | imad alvi (UID 97088) |
|---|
| Submission | 04/04/2026 01:15 (14 days ago) |
|---|
| Moderation | 04/12/2026 20:12 (9 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 309022 [SourceCodester Student Result Management System 1.0 drop_student.php img path traversal] |
|---|
| Points | 0 |
|---|