Impact
The vulnerability resides in the process_lesson.php script of the SourceCodester Online Examination & Learning Management System. An attacker can manipulate the user_id argument to upload any file without restriction, which may lead to overwriting server files or executing malicious code if the uploaded file is executed by the web server. This weakness aligns with CWE-434 (Unrestricted File Upload) and CWE-284 (Improper Access Control). The impact includes potential loss of confidentiality, integrity, or availability of the system if an attacker successfully places a malicious file in a location that can be executed.
Affected Systems
The impacted product is SourceCodester Online Examination & Learning Management System version 1.0, as identified in the affected file process_lesson.php. No other versions or variants were listed in the CNA data.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, suggesting that published exploitation activity data is not publicly quantified. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit the flaw remotely by sending a crafted user_id value to /process_lesson.php; the public exploit is documented, so the likelihood of real‑world exploitation remains significant until a patch is applied.
OpenCVE Enrichment