CVE-2024-57487
Published: 13 January 2025
Summary
CVE-2024-57487 is a medium-severity Code Injection (CWE-94) vulnerability in Code-Projects Online Car Rental System. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
CVE-2024-57487 affects the file upload feature in Code-Projects Online Car Rental System version 1.0. The component fails to validate file extensions or MIME types, enabling unrestricted upload of arbitrary files such as PHP shells. The issue is tracked under CWE-94 with a CVSS 3.1 base score of 6.5 reflecting network-accessible attack conditions that require no privileges or user interaction.
An unauthenticated remote attacker can upload a malicious PHP file directly to the server and then execute operating-system commands through the resulting web shell. This grants partial confidentiality and integrity impact without affecting availability.
The two referenced sources consist of the original project page and a public GitHub repository containing exploit details; neither supplies vendor patches, configuration guidance, or mitigation steps. The associated EPSS score stands at 0.5789 with no reported change from an earlier lower value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53600
Vulnerability details
In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unrestricted file upload vulnerability in the web application enables exploitation of a public-facing application (T1190) and deployment of a PHP web shell for remote command execution (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs such as file extensions and MIME types, addressing the core vulnerability in the unrestricted file upload feature.
Restricts information inputs to organization-defined types and formats, preventing the upload of arbitrary executable files like PHP shells.
Employs malicious code protection to scan and block uploaded PHP shells, providing defense-in-depth against unvalidated file uploads.