vendor:
Engineers Online Portal
by:
SadKris
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: Engineers Online Portal
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:sourcecodester:engineers_online_portal:1.0
Platforms Tested: XAMPP, Windows 11
2021
Engineers Online Portal 1.0 – File Upload Remote Code Execution (RCE)
Engineers Online Portal 1.0 is vulnerable to a File Upload Remote Code Execution (RCE) vulnerability. An attacker can send a maliciously crafted request to the server, which will allow them to execute arbitrary code on the server. The malicious code can be uploaded as an image file and sent to the server via a POST request. The server will then execute the code, allowing the attacker to gain access to the server.
Mitigation:
The application should validate the file type before allowing it to be uploaded. Additionally, the application should be configured to only allow certain file types to be uploaded.