CVE-2017-15957
published 2017-10-29CVE-2017-15957: my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.95%
89.1th percentile
my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ingenious_school_management_system_project | ingenious_school_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected file types (e.g., .php, .jsp, .asp webshells) uploaded via POST requests to my_profile.php or view/teacher_profile2.php by authenticated student or teacher roles. ↗
- →Alert on HTTP GET/POST requests accessing files under the /uploads/ directory that have executable extensions (e.g., .php), which may indicate post-exploitation webshell access. ↗
- →my_profile.php in Ingenious School Management System 2.3.0 is the vulnerable endpoint; flag any multipart/form-data file upload requests to this endpoint. ↗
- ·The exploit path uses [PATH] as a placeholder; the actual installation subdirectory will vary per deployment. Detections should use wildcard/regex matching for the path prefix. ↗
- ·The uploaded filename is not fixed ([FILE] placeholder); defenders cannot rely on a static filename IOC and must instead monitor the uploads/ directory for newly created executable-extension files. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://packetstormsecurity.com/files/144431/Ingenious-School-Management-System-2.3.0-Arbitrary-File-Upload.htmlhttps://www.exploit-db.com/exploits/43102/https://packetstormsecurity.com/files/144431/Ingenious-School-Management-System-2.3.0-Arbitrary-File-Upload.htmlhttps://www.exploit-db.com/exploits/43102/
2017-10-29
Published