CVE-2021-36622

Name of the Vulnerable Software and Affected Versions Sourcecodester Online Covid Vaccination Scheduler System version 1.0

Description The issue allows for Arbitrary File Upload. The admin panel has an upload function for profile photos, accessible at "http://localhost/scheduler/admin/?page=user". An attacker could upload a malicious file, such as shell.php, by setting the Content-Type to image/png. The attacker can then access the uploaded file, potentially leading to unauthorized access.

Recommendations For Sourcecodester Online Covid Vaccination Scheduler System version 1.0, consider disabling the profile photo upload function in the admin panel until a fix is available. Restrict access to the "http://localhost/scheduler/admin/?page=user" endpoint to minimize the risk of exploitation. Avoid allowing uploads with mismatched Content-Type headers to prevent malicious file uploads.