CVE-2025-10480 is a medium-severity vulnerability identified in version 1.0 of the SourceCodester Online Student File Management System. The vulnerability resides in the file /save_file.php, where an unrestricted file upload weakness allows an attacker to upload arbitrary files without proper validation or restriction. This flaw can be exploited remotely without requiring user interaction or elevated privileges, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L), suggesting that the uploaded files could be used to execute malicious code, overwrite existing files, or disrupt service. The exploit has been publicly disclosed, increasing the risk of exploitation, although no confirmed in-the-wild attacks have been reported yet. The vulnerability does not require authentication, making it accessible to unauthenticated attackers. The lack of patch links indicates that a vendor fix may not yet be available, emphasizing the need for immediate mitigation. Overall, this vulnerability poses a tangible risk to organizations using this specific file management system, especially in educational environments where sensitive student data is managed.

For European organizations, particularly educational institutions and universities using the SourceCodester Online Student File Management System 1.0, this vulnerability could lead to unauthorized file uploads that may result in remote code execution, data leakage, or service disruption. The compromise of student records and sensitive academic data could have severe privacy and regulatory implications under GDPR. Additionally, attackers could leverage this vulnerability to establish persistent access or pivot within the network, potentially impacting broader organizational IT infrastructure. The medium severity rating reflects a moderate but actionable risk, especially given the public availability of exploits. The impact is heightened in environments where this system is internet-facing or insufficiently segmented from critical infrastructure.

1. Immediately restrict access to the /save_file.php endpoint using network-level controls such as firewalls or web application firewalls (WAF) to limit exposure to trusted IP addresses. 2. Implement strict input validation and file type restrictions on uploaded files, ensuring only allowed file formats are accepted and scanned for malware. 3. Employ application-layer security controls such as disabling direct execution permissions on upload directories and segregating uploaded files from the web root to prevent execution. 4. Monitor logs for unusual upload activity and set up alerts for anomalous file uploads. 5. If possible, upgrade or patch the Online Student File Management System once a vendor fix is released. 6. Conduct a thorough security review of the system’s file upload functionality and consider alternative secure file management solutions if remediation is delayed. 7. Educate IT staff and users about the risks of unrestricted file uploads and enforce least privilege principles on system access.