CRITICAL🇵🇱 Wersja polska

CVE-2023-41506

CVSS 9.8v3.1pub. 2024-02-27upd. 2025-11-20

An arbitrary file upload vulnerability in the Update/Edit Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

🤖 AI Analysis
How it works

The student profile photo update function does not properly verify the type or content of the uploaded file. An attacker can submit a crafted PHP file instead of an allowed image file. After saving the file on the server, it can be directly invoked through a browser or HTTP request, resulting in the execution of malicious code on the server side.

Impact

An attacker can gain full control over the application server, including reading, modifying, or deleting data, as well as executing arbitrary system commands (RCE). It is also possible to compromise the database containing student data and perform further lateral movement in the network.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to implement MIME type validation and file extension verification on the server side, store files outside the webroot directory, and disable script execution in the upload directory.

Who is affected

Student Enrollment In PHP v1.0 (Code-Projects)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Code Projects Student Enrollment

    APP
    Code-Projects
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-41505CRITICAL9.8PL ✓ten sam produkt

Arbitrary file upload umożliwiający RCE w Student Enrollment In PHP

CVE-2023-41503CRITICAL9.8PL ✓ten sam produkt

SQL injection w funkcji logowania — Code-Projects Student Enrollment PHP v1.0

CVE-2023-41504HIGH8.8ten sam produkt

SQL Injection vulnerability in Student Enrollment In PHP 1.0 allows attackers to run arbitrary code via the St...

CVE-2025-7191MEDIUM5.5ten sam produkt

A vulnerability has been found in code-projects Student Enrollment System 1.0 and classified as critical. This...

CVE-2025-60306CRITICAL9.9PL ✓ten sam vendor

Auth Bypass w Simple Car Rental System — przejęcie sesji wysokich uprawnień