PT-2025-33091 · Unknown · Php Volunteer Management System
Published
2025-08-13
·
Updated
2025-08-14
·
CVE-2012-10056
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
PHP Volunteer Management System version 1.0.2
Description:
PHP Volunteer Management System version 1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the
mods/documents/uploads/ directory without any restriction on file type or extension. The directory is publicly accessible and lacks execution controls, allowing attackers to upload a malicious PHP payload and execute it remotely. The application ships with default credentials, simplifying exploitation. Once authenticated, an attacker can upload a PHP shell and activate it via a direct GET request.Recommendations:
For PHP Volunteer Management System version 1.0.2, restrict file uploads to specific, safe file types and implement robust validation checks on uploaded files. Ensure the
mods/documents/uploads/ directory is not directly accessible to the public and implement execution controls to prevent the execution of uploaded files. Change the default credentials immediately.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Php Volunteer Management System