CVE-2020-24203 — Forced Browsing in Travel Management System

CWE-425 — Forced Browsing CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

5.7%

top 9.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Projectworlds Travel Management System

Timeline

PublishedAug 27

Latest updateMay 24

Description

Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDprojectworlds/travel_management_system1.0

🔴Vulnerability Details

GHSA

GHSA-mwjj-8f4v-rq25: Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory↗2022-05-24

▶

CVEList

CVE-2020-24203: Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory↗2020-08-27

▶