CVE-2020-24203

Published: Aug 27, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution.

Affected (1)

Products: Projectworlds: Travel Management System

Projectworlds

1 product

Travel Management System

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Projectworlds Travel Management System	Version 1.0

Related CWEs

CWE-425

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/hyd3sec/TravelManagementSystemRCE

Source: cve@mitre.org

ExploitThird Party Advisory

https://projectworlds.in/free-projects/php-projects/travel-management-system-project-in-php-mysql/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/hyd3sec/TravelManagementSystemRCE

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://projectworlds.in/free-projects/php-projects/travel-management-system-project-in-php-mysql/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.