CRITICAL🇵🇱 Wersja polska

CVE-2023-41505

CVSS 9.8v3.1pub. 2024-03-13upd. 2025-05-28

An arbitrary file upload vulnerability in the Add Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

🤖 AI Analysis
How it works

The student profile photo upload function does not properly verify the types of uploaded files, allowing an attacker to upload a crafted PHP file instead of an actual image. After uploading the file to the server, the attacker can invoke it through a direct HTTP request, resulting in execution of the code contained in it on the server side. The vulnerability is accessible remotely, without authentication, and without victim interaction.

Impact

An attacker can gain full control over the server by executing arbitrary code (RCE), which enables reading and modifying data, privilege escalation, and potential takeover of the entire system.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to implement validation of uploaded file types (extension whitelist and MIME header verification), store uploaded files outside the webroot directory, and restrict script execution permissions in directories designated for uploads.

Who is affected

Code-Projects Student Enrollment In PHP version 1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Code Projects Student Enrollment

    APP
    Code-Projects
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-41503CRITICAL9.8PL ✓ten sam produkt

SQL injection w funkcji logowania — Code-Projects Student Enrollment PHP v1.0

CVE-2023-41506CRITICAL9.8PL ✓ten sam produkt

Arbitrary File Upload umożliwiający RCE w Student Enrollment In PHP

CVE-2023-41504HIGH8.8ten sam produkt

SQL Injection vulnerability in Student Enrollment In PHP 1.0 allows attackers to run arbitrary code via the St...

CVE-2025-7191MEDIUM5.5ten sam produkt

A vulnerability has been found in code-projects Student Enrollment System 1.0 and classified as critical. This...

CVE-2025-60306CRITICAL9.9PL ✓ten sam vendor

Auth Bypass w Simple Car Rental System — przejęcie sesji wysokich uprawnień