Hotel and Lodge Management System
CVE-2025-11398
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The impacted element is an unknown function of the file /profile.php of the component Profile Page. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
Unrestricted file upload vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to upload arbitrary files via manipulation of the image parameter in /profile.php, with publicly available exploit code and low real-world risk despite network accessibility due to authentication requirement and minimal impact scope.
Technical ContextAI
The vulnerability exists in the Profile Page component (/profile.php) of the SourceCodester Hotel and Lodge Management System, a PHP-based hotel management application. The affected code fails to properly validate or restrict file uploads when processing the image parameter, falling under CWE-284 (Improper Access Control). While the application requires authentication (PR:L per CVSS vector), the upload validation mechanism is insufficient to prevent arbitrary file types from being written to the server. The PHP file upload handling likely lacks proper MIME type validation, extension whitelisting, or secure storage location configuration, allowing an authenticated user to bypass intended upload restrictions.
RemediationAI
Update SourceCodester Hotel and Lodge Management System to a patched version released by the vendor. If no patched version is currently available, implement immediate compensating controls: (1) Restrict the /profile.php endpoint to HTTPS-only with strong TLS to prevent interception of authentication credentials, (2) Configure web server (Apache/Nginx) to prevent execution of scripts in the upload directory via .htaccess or server blocks (e.g., disable PHP execution in upload folders), (3) Implement strict server-side file type validation checking actual file content (magic bytes) not just extension, rejecting all non-image MIME types, (4) Store uploads outside the web root or in a directory with no execution permissions, (5) Rename uploaded files to remove original extensions and use a whitelist of allowed image extensions (.jpg, .png, .gif only). Monitor the vendor's security advisory at sourcecodester.com for official patch release. Note that restricting uploads to non-executable locations is the most effective control but requires application architecture review.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today