CVE-2025-0341
Published: 09 January 2025
Description
A vulnerability, which was classified as critical, has been found in CampCodes Computer Laboratory Management System 1.0. Affected by this issue is some unknown functionality of the file /class/edit/edit. The manipulation of the argument e_photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-0341 is a critical vulnerability in CampCodes Computer Laboratory Management System version 1.0. It affects some unknown functionality in the file /class/edit/edit, where manipulation of the e_photo argument enables unrestricted file upload. The issue, published on 2025-01-09, is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an authenticated attacker possessing low privileges. Exploitation requires low complexity and no user interaction, allowing the attacker to upload arbitrary files. A publicly disclosed proof-of-concept demonstrates remote code execution via this arbitrary file upload mechanism.
Advisories from VulDB (ctiid.290828, id.290828, submit.476884) confirm the remote exploitability and public disclosure of the proof-of-concept on GitHub, which details remote code execution through arbitrary file upload in the Computer Laboratory Management System. The vendor's site at campcodes.com is referenced, but no specific patches or mitigations are detailed in the available advisories.
A GitHub repository provides a POC for remote code execution, highlighting the vulnerability's potential for practical abuse since its public disclosure.
Details
- CWE(s)