CVE-2025-70151: Malicious File Upload
code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-70151?
CVE-2025-70151 is considered to be a high severity vulnerability due to its potential for remote code execution.
How do I fix CVE-2025-70151?
To fix CVE-2025-70151, implement strict validation and restrictions on file uploads and ensure that uploaded files are not executable.
Who is affected by CVE-2025-70151?
CVE-2025-70151 affects users of the Code-projects Scholars Tracking System version 1.0.
What type of vulnerability is CVE-2025-70151?
CVE-2025-70151 is a file upload vulnerability that allows authenticated attackers to execute arbitrary code.
What actions should I take if I am using Scholars Tracking System 1.0 in relation to CVE-2025-70151?
If you are using Scholars Tracking System 1.0, you should immediately apply necessary patches, review upload mechanisms, and remove any unauthorized files.