CVE-2024-57487 identifies a critical security weakness in the Code-Projects Online Car Rental System version 1.0, specifically in its file upload functionality. The vulnerability arises because the system does not validate the file extensions or MIME types of uploaded files, allowing an attacker to upload a PHP shell script. This uploaded shell can then be executed on the server, enabling the attacker to run arbitrary commands remotely. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), which typically leads to remote code execution (RCE). The CVSS 3.1 base score is 6.5, indicating medium severity with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This means the attack can be performed remotely over the network without any privileges or user interaction, with low attack complexity. The impact affects confidentiality and integrity partially, as attackers can execute commands but there is no direct indication of availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability poses a serious risk because web shells can be used as footholds for further attacks, including data exfiltration, privilege escalation, or lateral movement within the network. The lack of validation on file uploads is a common and critical security oversight in web applications, especially those handling sensitive business operations like car rental management.

The primary impact of CVE-2024-57487 is unauthorized remote code execution on the affected server, which can lead to partial loss of confidentiality and integrity. Attackers can upload malicious PHP shells to execute arbitrary commands, potentially accessing sensitive customer data, modifying system configurations, or deploying additional malware. Although availability is not directly impacted, the presence of a web shell can facilitate further attacks that may degrade service or cause downtime. Organizations using this vulnerable system risk data breaches, reputational damage, and regulatory penalties if customer information is compromised. The ease of exploitation without authentication increases the threat level, especially for internet-facing deployments. The lack of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers to develop weaponized payloads. The vulnerability could be leveraged as an initial access vector in multi-stage attacks targeting the broader IT infrastructure of affected organizations.

To mitigate CVE-2024-57487, organizations should implement strict server-side validation of all uploaded files, including verifying file extensions and MIME types against an allowlist of safe formats. Disallow uploading of executable files such as PHP, ASP, or other script types. Employ content inspection techniques to detect and block malicious payloads within files. Configure the web server to prevent execution of uploaded files in upload directories by disabling script execution permissions. Use web application firewalls (WAFs) to detect and block suspicious file upload attempts and command execution patterns. Regularly audit and monitor file upload directories for unauthorized files. If possible, update or patch the affected software once a vendor fix is available. Additionally, implement network segmentation and least privilege principles to limit the impact of a potential compromise. Conduct security awareness training for developers to prevent similar vulnerabilities in future releases.