Impact
The flaw in the upload_files.php script allows attackers to upload any file type without restriction. This unrestricted upload can be used to place executable or malicious scripts on the server, leading to remote code execution, data exfiltration, or other destructive actions. The weakness is catalogued as Improper Access Control and Unrestricted Upload of Dangerous File.
Affected Systems
SourceCodester Syllabus-Aligned Learning Management and Examination System version 1.0 is affected. The vulnerability resides in an unknown function of upload_files.php.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate risk level. The exploit has been released to the public, so attackers can target the upload endpoint remotely through the web interface. Although the EPSS score is < 1% and the vulnerability is not listed in the KEV catalog, the low probability does not negate the potential for damage; a successful upload of a malicious file can lead to remote code execution and compromise of the underlying web server.
OpenCVE Enrichment