Online Hotel Reservation System
CVE-2025-11351
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Online Hotel Reservation System 1.0. The impacted element is an unknown function of the file /admin/editpicexec.php. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
AnalysisAI
Unrestricted file upload in code-projects Online Hotel Reservation System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /admin/editpicexec.php, potentially leading to remote code execution. The vulnerability affects a low-impact scope but is publicly exploitable by authenticated users; EPSS scores this at 0.04% exploitation probability despite public POC availability, indicating limited real-world adoption of the vulnerable software.
Technical ContextAI
The vulnerability exists in the PHP-based file upload handler at /admin/editpicexec.php, which fails to properly validate or restrict the image parameter, resulting in arbitrary file upload capability classified as CWE-284 (Improper Access Control). The affected application is a web-based hotel reservation system written in PHP, commonly deployed on shared hosting or educational environments. The absence of proper file type validation, file size limits, or storage isolation allows an authenticated admin user to upload executable files (e.g., PHP shells) to the web-accessible directory, enabling code execution with application privileges.
RemediationAI
Upgrade to a patched version if available from code-projects.org; check https://code-projects.org/ for updated releases beyond 1.0. If no patch is available, implement immediate compensating controls: restrict /admin/editpicexec.php to only authenticated administrators via IP allowlist or VPN; disable or remove the file upload feature entirely if not critical to operations (modify or comment out the upload handler in editpicexec.php); implement strict MIME-type validation and file extension whitelisting (e.g., only .jpg, .png, .gif) on both client and server; store uploaded files outside the web root in a non-executable directory with disabled script execution in the web server configuration (e.g., Apache directive 'php_flag engine off' in the upload directory); rename uploaded files to remove extensions and serve them via download handler rather than direct execution. Most effective: restrict admin panel access to a dedicated internal network segment or implement multi-factor authentication for admin accounts to prevent unauthorized login.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today