CVE-2024-46377 identifies a critical arbitrary file upload vulnerability in Best House Rental Management System version 1.0. The vulnerability resides in the save_settings() function of the rental/admin_class.php file, which fails to properly validate or restrict uploaded files. This allows an unauthenticated attacker to upload arbitrary files, including potentially malicious scripts, to the server. Because the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it poses a severe risk. Successful exploitation can lead to remote code execution, enabling attackers to gain full control over the affected system, compromise sensitive data, and disrupt operations. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 base score is 9.8, reflecting the ease of exploitation (attack vector: network, attack complexity: low), and the high impact on confidentiality, integrity, and availability. No patches or official fixes have been released yet, and no known exploits have been observed in the wild, but the critical nature of this flaw demands immediate attention from organizations using this software.

The impact of CVE-2024-46377 is severe for organizations using Best House Rental Management System 1.0. Attackers can remotely upload malicious files without authentication, potentially leading to full system compromise. This can result in unauthorized access to sensitive customer and business data, disruption of rental management operations, and deployment of malware or ransomware. The integrity of system configurations and data can be compromised, and availability may be affected if attackers execute destructive payloads or disrupt services. Given the critical CVSS score, exploitation could have widespread consequences, including reputational damage, financial losses, and regulatory penalties. Organizations relying on this software for property management are particularly vulnerable, especially if the system is internet-facing or lacks additional security controls.

1. Immediately restrict external access to the Best House Rental Management System, especially the admin interface and the save_settings() function endpoint. 2. Implement web application firewall (WAF) rules to detect and block arbitrary file upload attempts targeting rental/admin_class.php. 3. Conduct thorough input validation and file type restrictions on any file upload functionality, ensuring only safe file types are accepted. 4. Monitor server logs for suspicious file upload activities and unusual file creations in the application directories. 5. Isolate the affected system in a segmented network zone to limit lateral movement in case of compromise. 6. Develop and deploy custom patches or temporary fixes to disable or secure the vulnerable save_settings() function until an official patch is released. 7. Regularly back up critical data and verify backup integrity to enable recovery from potential attacks. 8. Educate administrators about the vulnerability and enforce strong access controls and multi-factor authentication to reduce risk exposure. 9. Stay alert for official patches or updates from the vendor and apply them promptly once available.