CVE-2021-4462

CVE-2021-4462 is an unrestricted file upload vulnerability in Employee Records System version 1.0. The flaw exists in the uploadID.php endpoint, where the application fails to perform proper server-side validation, enabling attackers to upload arbitrary files that can subsequently be executed. This issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote code execution.

A remote unauthenticated attacker can exploit this vulnerability by sending malicious files to the uploadID.php endpoint. Successful exploitation allows arbitrary file upload and execution on the server, potentially granting full control over the affected system, including data exfiltration, modification, or further compromise.

Advisories from sources like VulnCheck detail the arbitrary file upload leading to remote code execution and provide proof-of-concept exploits available on Exploit-DB. Mitigation recommendations include applying patches if available from the vendor, implementing strict server-side file validation (e.g., checking MIME types, extensions, and content), restricting upload directories to non-executable paths, and disabling dangerous file execution via web server configurations.

Exploitation evidence for CVE-2021-4462 was observed in the wild by the Shadowserver Foundation on 2025-02-06 UTC, confirming active real-world abuse prior to the CVE's publication on 2025-11-10.