根据提供的网页截图,以下是关于漏洞CVE-2025-70151的关键信息,以简洁的Markdown格式呈现: CVE-2025-70151 - Scholars Tracking System 1.0: Authenticated Unrestricted File Upload Leads to Remote Code Execution Summary Description Vulnerability: Unrestricted File Upload in the profile picture/photo upload functionality. Issue: Attacker-supplied filenames are stored directly into a web-accessible directory ( ) without validating file extension/type. This allows the upload of PHP files and achieves Remote Code Execution (RCE) as the web server user (e.g., ). Affected Endpoints: , . Root Cause Analysis The code moves the uploaded file to using the original user-supplied filename. No server-side validation restricts uploads to safe image formats. The directory is web-accessible and configured to execute PHP files. Steps to Reproduce (PoC) 1. Create a PHP PoC file ( ): 2. Upload the PHP file: (Alternative) Via : 3. Trigger RCE: Expected result: The server executes the uploaded PHP and returns output similar to: Impact Successful exploitation can lead to: Remote Code Execution (RCE) on the web server as the web server user. Full compromise of application data and database credentials. Arbitrary file read/write within web server permissions. Installation of persistent backdoors. Further lateral movement. Recommendation / Fix 1. Strict Allowlist Validation: - Allow only safe image extensions (e.g., , , , , ). - Verify MIME type with and validate image headers/magic bytes. 2. Do Not Use User-Controlled Filenames: - Generate random filenames and store uploads with the generated name. 3. Disable Script Execution in Upload Directories: - Configure the web server to prevent PHP execution in (e.g., Apache/Nginx rules). 4. Store Uploads Outside the Web Root: - Serve uploaded content via a controlled download endpoint. References CWE-434: Unrestricted Upload of File with Dangerous Type OWASP: Unrestricted File Upload