CVE-2023-33440
Description
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sourcecodester Faculty Evaluation System v1.0 allows arbitrary PHP code execution via an unrestricted file upload in /eval/ajax.php?action=save_user.
Vulnerability
The vulnerability resides in the /eval/ajax.php?action=save_user endpoint of Sourcecodester Faculty Evaluation System v1.0. The application fails to validate the file type of the img parameter during user profile updates, allowing a remote attacker to upload a malicious PHP script. The affected version is v1.0 as provided by Sourcecodester [2].
Exploitation
An attacker must first authenticate as a Super Admin (default credentials admin@admin.com/admin123 are provided in the available reference). The attacker then sends a crafted POST request to /eval/ajax.php?action=save_user with a PHP payload as the img file (e.g., hack.php with content <?php phpinfo();?>). The uploaded file is stored in the \eval\assets\uploads directory, and the path is returned in the HTTP response [2].
Impact
Successful exploitation grants the attacker arbitrary PHP code execution on the web server. This can lead to full compromise of the application, data exfiltration, or lateral movement within the network, depending on the server's configuration and privileges [2].
Mitigation
No official patch has been released by the vendor as of the publication date (2023-05-26). Users are advised to restrict access to the admin panel, implement proper file type validation and upload restrictions, and consider disabling the user save functionality if not required. The vulnerability does not appear on the CISA KEV list [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sourcecodester/Faculty Evaluation Systemdescription
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file extension and content validation in the user image upload handler allows arbitrary PHP file upload."
Attack vector
An attacker with a valid Super Admin account (e.g., admin@admin.com/admin123) sends a crafted POST request to `/eval/ajax.php?action=save_user` with a `multipart/form-data` payload [ref_id=1]. The `img` field contains a file named with a `.php` extension (e.g., `hack.php`) whose content is arbitrary PHP code [ref_id=1]. The server accepts the file, stores it in the publicly accessible `/eval/assets/uploads` directory, and returns the upload path in the response [ref_id=1]. The attacker then visits that path in a browser, causing the PHP code to execute on the server.
Affected code
The vulnerability exists in `/eval/ajax.php?action=save_user` within the Faculty Evaluation System v1.0 by oretnom23 [ref_id=1]. The file upload handler in this endpoint accepts a user-supplied image file (`img` parameter) and stores it under the `/eval/assets/uploads` directory without validating the file extension or content [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance from the vendor [ref_id=1]. To close this vulnerability, the application should validate uploaded file extensions against an allowlist (e.g., only image types such as `.jpg`, `.png`, `.gif`), verify the file content matches the expected MIME type, and store uploads outside the web root or in a directory configured to prevent script execution.
Preconditions
- authAttacker must possess a valid Super Admin account (e.g., admin@admin.com/admin123)
- networkThe target server must have the Faculty Evaluation System v1.0 installed and accessible over HTTP
- configThe /eval/assets/uploads directory must be writable and accessible from the web
Reproduction
1. Log in to the Faculty Evaluation System as a Super Admin (e.g., admin@admin.com / admin123). 2. Send a POST request to `/eval/ajax.php?action=save_user` with a `multipart/form-data` body containing a file in the `img` field named `hack.php` with content `\x3c?php phpinfo();?\x3e` and the required user fields (`id`, `firstname`, `lastname`, `email`). 3. Note the uploaded file path returned in the response (e.g., `/eval/assets/uploads/hack.php`). 4. Visit that path in a browser; the PHP code executes, displaying the phpinfo output [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.