PT-2021-23370 · Sourcecodester · Sourcecodester E-Negosyo System

Nu11Secur1Ty

Published

2021-10-29

Updated

2021-11-28

CVE-2021-41675

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Sourcecodester E-Negosyo System version 1.0

Description A Remote Code Execution (RCE) issue exists in the system, specifically in the /admin/produts/controller.php file via the doInsert function. This function validates images using getImageSize.

Recommendations For Sourcecodester E-Negosyo System version 1.0, consider disabling the doInsert function in the /admin/produts/controller.php file as a temporary workaround until a patch is available. Restrict access to the vulnerable controller.php file to minimize the risk of exploitation. Avoid using the getImageSize function for image validation in the affected API endpoint until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2021-41675

Affected Products

Sourcecodester E-Negosyo System

PT-2021-23370 · Sourcecodester · Sourcecodester E-Negosyo System

CVE-2021-41675

Weakness Enumeration

Related Identifiers

Affected Products

References · 6