CVE-2019-20183

Name of the Vulnerable Software and Affected Versions Employee Records System version 1.0

Description The issue allows an attacker to upload and execute arbitrary PHP code due to inadequate file-extension validation, which is only performed on the client side. This can be achieved by modifying the global.js file to permit the .php extension, allowing the attacker to bypass the client-side validation and upload malicious PHP code.

Recommendations For Employee Records System version 1.0, consider disabling the upload functionality in uploadimage.php until a proper server-side validation mechanism is implemented to prevent the upload of malicious PHP code. Restrict access to the global.js file to prevent modifications that could allow bypassing of the client-side validation.