CVE-2025-70151
Unrestricted File Upload in Scholars Tracking System 1.0 Enables Remote Code Execution
Publication date: 2026-02-18
Last updated on: 2026-02-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | scholars_tracking_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-70151 is a vulnerability in Scholars Tracking System 1.0 that allows an authenticated attacker to upload files without any restriction on file type or extension. The system's endpoints for uploading profile pictures store these files in a web-accessible directory using the original filename provided by the user, without validating whether the file is safe."}, {'type': 'paragraph', 'content': 'Because the server executes PHP files in this directory, an attacker can upload a malicious PHP file (such as a web shell) and then execute arbitrary code on the server by accessing that file through the web. This leads to remote code execution (RCE) as the web server user.'}] [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a full compromise of the application and its environment. An attacker can execute arbitrary commands on the server, potentially gaining access to sensitive application data and database credentials.
The attacker may also read or write arbitrary files within the permissions of the web server user, install persistent backdoors, and move laterally within the network, increasing the scope of the attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of uploaded files in the web-accessible uploads/ directory that have executable extensions such as .php. Since the application does not validate file types or extensions, malicious PHP files may be present.'}, {'type': 'paragraph', 'content': "A proof-of-concept involves uploading a PHP file (e.g., poc.php) containing code like `<?php system($_GET['command']); ?>` and then accessing it via the web to execute commands."}, {'type': 'paragraph', 'content': 'To detect exploitation or presence of malicious files, you can run commands on the server such as:'}, {'type': 'list_item', 'content': 'Find PHP files in the uploads directory: `find /path/to/uploads -type f -name "*.php"`'}, {'type': 'list_item', 'content': 'List recently modified or created files in the uploads directory: `ls -lt /path/to/uploads`'}, {'type': 'list_item', 'content': 'Check web server access logs for requests to /uploads/*.php files to identify potential exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement strict allowlist validation to accept only safe image file extensions such as jpg, jpeg, png, gif, and webp.
- Verify MIME types server-side using functions like finfo_file() and validate image headers or magic bytes to ensure only legitimate image files are accepted.
- Avoid using user-supplied filenames by generating random filenames (e.g., UUIDs) for stored files to prevent overwriting or executing malicious files.
- Disable script execution in the uploads directory by configuring the web server (Apache or Nginx) to prevent PHP or other script execution.
- Store uploaded files outside the web root and serve them via controlled download endpoints to reduce direct web access.