Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-57487 PoC — Code-Projects Online Car Rental System 安全漏洞

Source
https://github.com/aaryan-11-x/CVE-2024-57487-and-CVE-2024-57488
Associated Vulnerability
Title:Code-Projects Online Car Rental System 安全漏洞 (CVE-2024-57487)
Description:In Code-Projects Online Car Rental System 1.0, the file upload feature does not validate file extensions or MIME types allowing an attacker to upload a PHP shell without any restrictions and execute commands on the server.
Description
POC of CVE-2024-57487 & CVE-2024-57488
Readme
# Online Car Rental System Vulnerabilities

This repository contains details about the vulnerabilities identified in Code-Projects **Online Car Rental System** project Version 1.0. The vulnerabilities have been assigned CVEs and include comprehensive writeups to assist in understanding and mitigating the issues.

## Vulnerabilities

1. **Remote Code Execution (Authenticated) via File Upload**  
   - **CVE-ID:** CVE-2024-57487
   - **Description:** This vulnerability allows authenticated attackers to upload malicious PHP files, enabling remote command execution on the server.  
   - [View the full writeup here](https://github.com/aaryan-11-x/CVE-2024-57487-and-CVE-2024-57488/blob/main/CVE-2024-57487.md)
  
2. **Stored XSS (Authenticated) in edit-vehicle.php**  
   - **CVE-ID:** CVE-2024-57488
   - **Description:** This vulnerability allows authenticated attackers to inject malicious JavaScript payloads that persist in the system and execute whenever the impacted page is viewed.  
   - [View the full writeup here](https://github.com/aaryan-11-x/CVE-2024-57487-and-CVE-2024-57488/blob/main/CVE-2024-57488.md)



## Disclaimer
These vulnerabilities have been responsibly disclosed to the project maintainers.

## Acknowledgments
- Researcher: Aaryan Golatkar
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →