Critical Unrestricted Upload Bug Found in Pharmacy System
CVE Notify is flagging a critical vulnerability in SourceCodester’s Web-based Pharmacy Product Management System, version 1.0. The issue lies within the /add-product.php file, specifically impacting an unspecified functionality related to the ‘Avatar’ argument. According to CVE Notify, attackers can exploit this to achieve unrestricted file uploads.
This vulnerability is particularly concerning because it can be triggered remotely, meaning attackers don’t need local access to the system. The fact that an exploit has been publicly disclosed significantly increases the risk, as malicious actors can now readily leverage this flaw. While the exact functionality affected is listed as unknown, the implication of unrestricted uploads is clear: it opens the door to uploading malicious files, potentially leading to full system compromise.
Given the nature of pharmacy systems, which often handle sensitive patient data and critical operational functions, this vulnerability demands immediate attention. The potential for data breaches or operational disruption is substantial.
What This Means For You
- Organizations utilizing SourceCodester Web-based Pharmacy Product Management System 1.0 should immediately review their 'add-product.php' endpoint for any custom modifications or security controls around the 'Avatar' file upload parameter, and consider disabling the feature or implementing strict server-side validation for file types and content until a patch is available.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-3783 | Unrestricted Upload | SourceCodester Web-based Pharmacy Product Management System 1.0, file: /add-product.php, argument: Avatar |