CVE-2024-57487
Published: 13 January 2025
Summary
CVE-2024-57487 is a medium-severity Code Injection (CWE-94) vulnerability in Code-Projects Online Car Rental System. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs such as file extensions and MIME types, addressing the core vulnerability in the unrestricted file upload feature.
Restricts information inputs to organization-defined types and formats, preventing the upload of arbitrary executable files like PHP shells.
Employs malicious code protection to scan and block uploaded PHP shells, providing defense-in-depth against unvalidated file uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unrestricted file upload vulnerability in the web application enables exploitation of a public-facing application (T1190) and deployment of a PHP web shell for remote command execution (T1505.003).
NVD Description
In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server.
Deeper analysisAI
CVE-2024-57487 is a code injection vulnerability (CWE-94) in the Code-Projects Online Car Rental System version 1.0. The issue stems from the file upload feature, which lacks validation of file extensions or MIME types. This allows attackers to upload arbitrary files, including PHP shells, without restrictions, enabling command execution on the server. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and was published on 2025-01-13.
An unauthenticated attacker can exploit this remotely over the network with low attack complexity and no user interaction. By leveraging the insecure file upload, they can upload a PHP shell and execute commands on the server, resulting in limited impacts to confidentiality and integrity.
References include the project's source code page at https://code-projects.org/online-car-rental-using-php-source-code/ and a GitHub repository at https://github.com/aaryan-11-x/CVE-2024-57487-and-CVE-2024-57488. No specific mitigation steps, patches, or vendor advisories are detailed in the available information.
Details
- CWE(s)