CRITICAL🇵🇱 Wersja polska

CVE-2025-46193

CVSS 9.8v3.1pub. 2025-05-09upd. 2025-05-22

SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php.

🤖 AI Analysis
How it works

The vulnerability (CWE-434) results from the lack of proper validation of uploaded files through the user_proposal_update_order.php endpoint. An attacker can upload a malicious executable file (e.g., PHP webshell) without any restrictions on file type, extension, or content. After the file is loaded on the server, it is possible to execute it, leading to remote code execution in the context of the web server. The attack does not require authentication or user interaction and can be conducted remotely over the network.

Impact

The attacker gains the ability to execute arbitrary code remotely on the server, which can lead to complete system takeover, data theft, modification or destruction, as well as lateral movement within the network infrastructure.

Mitigation & patch

Apply patches available from the vendor according to the references. As immediate remedial measures, it is recommended to restrict access to the user_proposal_update_order.php file at the firewall or web server level, implement strict validation of file types and extensions, and store files outside the directory directly accessible by the web server.

Who is affected

SourceCodester Client Database Management System version 1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lerouxyxchire Client Database Management System

    APP
    Lerouxyxchire
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-46188CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0

CVE-2025-46189CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0

CVE-2025-46190CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0

CVE-2025-46191CRITICAL9.8PL ✓ten sam produkt

Dowolne przesyłanie plików i RCE w SourceCodester Client Database Management System 1.0

CVE-2025-46192CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0