CVE-2024-57487
Published: 13 January 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2024-57487 is a code injection vulnerability (CWE-94) in the Code-Projects Online Car Rental System version 1.0. The issue stems from the file upload feature, which lacks validation of file extensions or MIME types. This allows attackers to upload arbitrary files, including PHP shells, without restrictions, enabling command execution on the server. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and was published on 2025-01-13.
An unauthenticated attacker can exploit this remotely over the network with low attack complexity and no user interaction. By leveraging the insecure file upload, they can upload a PHP shell and execute commands on the server, resulting in limited impacts to confidentiality and integrity.
References include the project's source code page at https://code-projects.org/online-car-rental-using-php-source-code/ and a GitHub repository at https://github.com/aaryan-11-x/CVE-2024-57487-and-CVE-2024-57488. No specific mitigation steps, patches, or vendor advisories are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unrestricted file upload vulnerability in the web application enables exploitation of a public-facing application (T1190) and deployment of a PHP web shell for remote command execution (T1505.003).