CVE Alert: CVE-2025-10424 – 1000projects – Online Student Project Report Submission and Evaluation System
CVE-2025-10424
A vulnerability was determined in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The affected element is an unknown function of the file /admin/controller/faculty_controller.php. This manipulation of the argument new_image causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
AI Summary Analysis
Risk verdict
Urgent: remote, unauthenticated unrestricted upload risk with a publicly disclosed PoC and automatable exploit, exposing the system to potential remote compromise.
Why this matters
An attacker can upload arbitrary files via the vulnerable endpoint, which if processed or served by the web app could lead to code execution, data exposure, or service disruption. In an education platform context, there is elevated risk to student data, project submissions, and administrator access, with potential lateral movement within the hosting environment.
Most likely attack path
An attacker sends a crafted request to /admin/controller/faculty_controller.php, abusing the new_image parameter to bypass controls. The flaw, being a network-accessible, unauthenticated upload, enables provisioning of a web-facing payload. If the server interprets uploaded content (e.g., PHP) or stores it in a web-accessible location, it can lead to code execution or further compromises without user interaction.
Who is most exposed
Publicly reachable admin interfaces in web-hosted student project systems are the most at-risk, especially where uploads are not strictly validated or sandboxed. Organisations rapidly deploying or hosting these apps on shared or cloud environments with weak upload guards are at highest exposure.
Detection ideas
- Anomalous or high-volume uploads to admin endpoints (new_image parameter)
- Newly created files in upload directories with executable extensions
- Web server errors or unusual responses after upload attempts
- Web shells or suspicious shell-like payloads in uploads
- Sudden spikes in admin activity logs or file-type mismatches
Mitigation and prioritisation
- Apply patch or upgrade to fixed release; verify vendor advisory is implemented
- Implement strict allow-lists for upload types and reject executable extensions
- Store uploads outside the web root; disable execution of uploaded content
- Enforce authentication and layered access controls; require CSRF protection
- Enable strict input validation and server-side sanitisation; monitor/alert on new_image usage
- Consider WAF rules for file upload anomalies; perform rapid patch validation
- If KEV true or EPSS ≥ 0.5, treat as priority 1
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
