vendor:
Landa Driving School Management System
by:
Sohel Yousef
7.5
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Landa Driving School Management System
Affected Version From: 2.0.1
Affected Version To: 2.0.1
Patch Exists: NO
Related CWE:
CPE: a:landa_driving_school_management_system:2.0.1
Platforms Tested:
2022
Landa Driving School Management System 2.0.1 – Arbitrary File Upload
Landa Driving School Management System version 2.0.1 allows registered users to upload arbitrary files, specifically .php5 files, in the attachments section. This can be exploited using an intercept tool in Burp Suite to edit the raw request. The uploaded files can be accessed directly via a direct link.
Mitigation:
The vendor should implement proper file type validation and restrict users from uploading executable files. Additionally, the application should sanitize user input to prevent arbitrary file uploads.