## Vulnerability Key Information ### Vulnerability Identifier - **CVE ID**: CVE-2025-66802 ### Vulnerability Description - **Description**: Sourcecodester Covid-19 Contact Tracing System 1.0 contains a vulnerability classified as unrestricted file upload with dangerous file types (CWE-434). The application fails to properly validate file types during the file upload functionality, allowing remote attackers to upload arbitrary files that can be executed by the server. Successful exploitation of this vulnerability may lead to remote code execution with the privileges of the web server process. The vulnerability is remotely exploitable and may compromise the confidentiality, integrity, and availability of the affected system. ### Affected Products - **Application**: Sourcecodester Covid-19 Contact Tracing System - **Version**: 1.0 - **Vendor**: https://www.sourcecodester.com ### Vulnerability Details - **Type**: Unrestricted file upload with dangerous file types - **CWE ID**: CWE-434 - **Attack Vector**: Network - **Attack Complexity**: Low - **Required Privileges**: None - **User Interaction**: None. The vulnerability arises from insufficient server-side validation of uploaded files, enabling attackers to upload files with executable extensions. ### Impact - Successful exploitation allows attackers to execute arbitrary code on the target server. Depending on server configuration, this could result in full system compromise, unauthorized access to sensitive data, modification of application behavior, or service disruption. ### CVSS Score - **CVSS v3.1 Base Score**: 9.8 (Critical) - **Vector**: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### Exploitation Requirements - Exploiting this vulnerability requires access to the affected file upload functionality and the ability to upload files without proper server-side validation of file types, extensions, or content. No public exploit code is provided in this disclosure. ### Mitigation Measures - **Recommended for Affected Users**: - Implement strict server-side file upload validation - Restrict allowed file extensions and MIME types - Store uploaded files outside the web root directory - Disable execution permissions on the upload directory - Apply available vendor patches or updates