Online Hotel Reservation System
CVE-2025-11352
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in code-projects Online Hotel Reservation System 1.0. This affects an unknown function of the file /admin/addexec.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Unrestricted file upload in code-projects Online Hotel Reservation System 1.0 allows authenticated remote attackers to upload arbitrary files via the image parameter in /admin/addexec.php, potentially leading to remote code execution. The vulnerability has a low CVSS score (2.1) due to requirement for low-privilege authentication and limited impact scope, but publicly available exploit code exists and the issue affects confidentiality, integrity, and availability at the application layer.
Technical ContextAI
The vulnerability resides in the PHP file /admin/addexec.php, a backend administrative script responsible for executing hotel reservation operations. The file implements improper input validation on the image parameter, failing to enforce file type restrictions, MIME type verification, or upload destination isolation. This is rooted in CWE-284 (Improper Access Control), where the system does not adequately restrict who can upload files or enforce what file types are permissible. The absence of proper authentication checks on the file upload handler combined with inadequate file validation mechanisms creates a direct path to arbitrary file placement on the server, which combined with PHP execution privileges can lead to code execution.
RemediationAI
Primary remediation requires applying a security patch from the vendor; however, no patched version is currently identified in the provided references. Organizations should immediately contact code-projects through https://code-projects.org/ to request a security update or confirmation of availability. As an interim compensating control, restrict access to /admin/addexec.php and the /admin/ directory to trusted IP addresses only via web server configuration (e.g., Apache .htaccess or nginx location block), and configure the upload directory with execute permissions explicitly disabled (e.g., chmod 644, or add .htaccess with 'php_flag engine off'). Additionally, implement strict file type validation at the application level by whitelisting only image MIME types (image/jpeg, image/png, image/gif) and enforcing server-side verification via file magic bytes rather than extension checking. If administratively feasible, generate audit logs for all file uploads to /admin/addexec.php and monitor for unexpected file types or sizes. These controls trade ease of administration for security; verify that legitimate admin workflows are not disrupted by IP restrictions before deployment.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today