Cyber Resilience

CVE-2024-57487

Medium

Published: 13 January 2025

Published
13 January 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.5789 98.2th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57487 is a medium-severity Code Injection (CWE-94) vulnerability in Code-Projects Online Car Rental System. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2024-57487 affects the file upload feature in Code-Projects Online Car Rental System version 1.0. The component fails to validate file extensions or MIME types, enabling unrestricted upload of arbitrary files such as PHP shells. The issue is tracked under CWE-94 with a CVSS 3.1 base score of 6.5 reflecting network-accessible attack conditions that require no privileges or user interaction.

An unauthenticated remote attacker can upload a malicious PHP file directly to the server and then execute operating-system commands through the resulting web shell. This grants partial confidentiality and integrity impact without affecting availability.

The two referenced sources consist of the original project page and a public GitHub repository containing exploit details; neither supplies vendor patches, configuration guidance, or mitigation steps. The associated EPSS score stands at 0.5789 with no reported change from an earlier lower value.

EU & UK References

Vulnerability details

In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The unrestricted file upload vulnerability in the web application enables exploitation of a public-facing application (T1190) and deployment of a PHP web shell for remote command execution (T1505.003).

CVEs Like This One

CVE-2025-8255Same vendor: Code-Projects
CVE-2025-7413Same vendor: Code-Projects
CVE-2025-7412Same vendor: Code-Projects
CVE-2025-0346Same vendor: Code-Projects
CVE-2026-0566Same vendor: Code-Projects
CVE-2026-4581Same vendor: Code-Projects
CVE-2025-70995Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-3352Shared CWE-94
CVE-2026-4784Same vendor: Code-Projects

Affected Assets

code-projects
online car rental system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs such as file extensions and MIME types, addressing the core vulnerability in the unrestricted file upload feature.

prevent

Restricts information inputs to organization-defined types and formats, preventing the upload of arbitrary executable files like PHP shells.

preventdetect

Employs malicious code protection to scan and block uploaded PHP shells, providing defense-in-depth against unvalidated file uploads.

References