SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio.
The vulnerability (CWE-73 — External Control of File Name or Path) occurs in the /dashboard/portfolio file, which handles the portfolio creation function. Lack of proper validation of uploaded files allows an attacker to place a file with any extension (e.g., a malicious PHP script) on the server. After uploading such a file, the attacker can directly access its location and trigger server-side code execution.
An attacker can gain full control of the server through remote code execution (RCE), as well as gain unauthorized access to data, modify website content, or take control of the operating system.
Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to implement restrictive validation of file types and extensions on the server side, store uploaded files outside the webroot directory, and configure the server to prevent script execution in directories designated for user files.
SourceCodester Company Website CMS version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTorrahclef Company Website Cms
APPTorrahclef1.0
Related vulnerabilities
Podatność file upload w SourceCodester Company Website CMS 1.0
A vulnerability was found in SourceCodester Company Website CMS 1.0. This affects an unknown part of the file ...
A vulnerability was determined in SourceCodester Company Website CMS 1.0. This vulnerability affects unknown c...
SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services.