## https://sploitus.com/exploit?id=F8DD1257-D0D7-56DC-BFD0-84E15843E1C6
# CVE-2025-66802
Sourcecodester Covid-19 Contact Tracing System 1.0 โ Unrestricted File Upload Leading to Remote Code Execution
# Description
Sourcecodester Covid-19 Contact Tracing System version 1.0 contains a vulnerability classified as Unrestricted Upload of File with Dangerous Type (CWE-434). The application fails to properly validate uploaded file types in a file upload functionality, allowing remote attackers to upload arbitrary files that may be executed by the server.
Successful exploitation of this vulnerability may result in remote code execution with the privileges of the web server process. The vulnerability can be exploited remotely and may impact confidentiality, integrity, and availability of the affected system.
# Affected Product
- Application: Sourcecodester Covid-19 Contact Tracing System
- Version: 1.0
- Vendor: https://www.sourcecodester.com
# Vulnerability Details
- Vulnerability Type: Unrestricted Upload of File with Dangerous Type
- CWE: CWE-434
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
The vulnerability exists due to insufficient server-side validation of uploaded files, enabling attackers to upload files with executable extensions.
# Impact
An attacker exploiting this vulnerability may be able to execute arbitrary code on the target server. Depending on the server configuration, this could lead to full system compromise, unauthorized access to sensitive data, modification of application behavior, or service disruption.
# CVSS
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Exploitation Conditions
Exploitation requires access to the affected file upload functionality and the ability to upload files without adequate server-side validation of file type, extension, or content. No public exploit code is provided as part of this disclosure.
# Mitigation
It is recommended that affected users:
- Implement strict server-side validation of uploaded files
- Restrict allowed file extensions and MIME types
- Store uploaded files outside the web root
- Disable execution permissions on upload directories
- Apply vendor patches or updates if available
# Credits
- Marcos Tulio
- GitHub: https://github.com/mtgsjr
# Thanks to:
- Paulo Gualter
- GitHub: https://github.com/paulogualter
- LinkedIn: https://www.linkedin.com/in/paulogualter