CVE-2024-30849 is an arbitrary file upload vulnerability identified in Sourcecodester Complete E-Commerce Site version 1.0. The vulnerability exists in the admin/products_photo.php script, specifically via the filename parameter, which does not properly validate or sanitize user input. This flaw allows unauthenticated remote attackers to upload arbitrary files, including potentially malicious scripts, to the server. Successful exploitation can lead to remote code execution (RCE), enabling attackers to execute arbitrary commands with the privileges of the web server process. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), indicating that the application improperly handles file inclusion based on user-supplied input. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes have been published as of the report date, and no known exploits have been observed in the wild. However, the criticality and ease of exploitation make this a high-risk vulnerability for organizations using this software. Attackers exploiting this vulnerability could gain full control over the affected web server, leading to data theft, defacement, malware deployment, or pivoting to internal networks.

The impact of CVE-2024-30849 is severe for organizations deploying Sourcecodester Complete E-Commerce Site v1.0. Exploitation can result in complete system compromise, including unauthorized access to sensitive customer data, financial information, and intellectual property. Attackers can execute arbitrary code, potentially installing backdoors, ransomware, or other malware, disrupting business operations and causing significant reputational damage. The vulnerability affects the confidentiality, integrity, and availability of the affected systems. Given the e-commerce context, this could lead to financial fraud, loss of customer trust, and regulatory penalties under data protection laws. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations with internet-facing installations of this software are particularly vulnerable, and the absence of patches increases exposure time. The threat also extends to supply chain risks if attackers use compromised servers as launch points for broader attacks.

To mitigate CVE-2024-30849, organizations should immediately restrict access to the admin/products_photo.php script, ideally limiting it to trusted IP addresses or VPN users. Implement strict server-side validation and sanitization of all file upload parameters, especially the filename, to prevent malicious file uploads. Employ allowlists for permitted file types and enforce file size limits. Disable execution permissions on directories used for file uploads to prevent uploaded scripts from running. Monitor web server logs for unusual file upload attempts or suspicious activity. If possible, isolate the e-commerce application in a segmented network zone to limit lateral movement in case of compromise. Organizations should also consider deploying web application firewalls (WAFs) with rules to detect and block arbitrary file upload attempts targeting this vulnerability. Regularly back up critical data and test restoration procedures. Stay alert for official patches or updates from the vendor and apply them promptly once available. Conduct security assessments and penetration testing focused on file upload functionality to identify and remediate similar issues.