CVE-2024-32254

Name of the Vulnerable Software and Affected Versions Phpgurukul Tourism Management System version 2.0

Description The issue concerns an unrestricted upload of files with dangerous types via the tms/admin/create-package.php endpoint. When creating a new package, there are no checks for the types of files being uploaded from the image. This lack of validation allows for the potential upload of malicious files.

Recommendations For Phpgurukul Tourism Management System version 2.0, consider disabling the file upload functionality in the create-package.php script until a patch is available to add proper file type validation. Restrict access to the tms/admin/create-package.php endpoint to minimize the risk of exploitation. Avoid using this endpoint for file uploads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.