CVE-2021-4462

Name of the Vulnerable Software and Affected Versions Employee Records System version 1.0

Description Employee Records System version 1.0 has an unrestricted file upload issue. A remote, unauthenticated attacker can upload arbitrary files through the /uploadID.php endpoint. The application lacks server-side validation, allowing uploaded files to be executed. The Shadowserver Foundation observed exploitation of this issue on 2025-02-06 UTC. The uploadID.php endpoint is the target for exploitation, and the uploadID variable is involved in the file upload process.

Recommendations Versions prior to 1.0 should be updated. As a temporary workaround, consider disabling the /uploadID.php endpoint until a patch is available.