CVE-2025-14582 is a vulnerability identified in version 1.0 of the campcodes Online Student Enrollment System, specifically in the /admin/index.php?page=user-profile endpoint. The vulnerability arises from insufficient validation of the userphoto parameter, which allows an authenticated user with high privileges to upload files without restrictions. This unrestricted upload flaw can be exploited remotely by manipulating the userphoto argument, potentially allowing attackers to upload malicious files such as web shells or scripts. The vulnerability does not require user interaction but does require that the attacker has high-level privileges (PR:H) on the system, which typically means administrative access. The CVSS 4.0 base score is 5.1, indicating a medium severity level, with network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and no privileges required for the attack itself but high privileges needed to initiate it (PR:H). The impact on confidentiality, integrity, and availability is low to limited, but the ability to upload arbitrary files can lead to further exploitation such as remote code execution or privilege escalation if combined with other vulnerabilities or misconfigurations. No patches or fixes are currently linked, and while no known exploits are active in the wild, the exploit code has been publicly disclosed, increasing the likelihood of exploitation attempts. This vulnerability primarily affects educational institutions using campcodes Online Student Enrollment System 1.0, which may be deployed in various regions including Europe.

For European organizations, especially educational institutions using campcodes Online Student Enrollment System 1.0, this vulnerability poses a risk of unauthorized file uploads by authenticated administrators or users with elevated privileges. Exploitation could lead to the deployment of malicious payloads such as web shells, enabling attackers to execute arbitrary code, manipulate student data, or disrupt enrollment services. This could result in data breaches involving sensitive student information, loss of data integrity, and potential downtime impacting enrollment processes. The medium severity rating reflects that while exploitation requires high privileges, the consequences of a successful attack can be significant, including reputational damage and regulatory non-compliance under GDPR if personal data is compromised. The public availability of exploit code increases the urgency for European organizations to address this vulnerability promptly to prevent targeted attacks.

1. Restrict file upload functionality by implementing strict server-side validation of file types, sizes, and content to prevent malicious files from being uploaded. 2. Enforce the principle of least privilege by limiting administrative access to only necessary personnel and using multi-factor authentication to reduce the risk of credential compromise. 3. Monitor and audit administrative actions and file uploads for suspicious activity, including unexpected file types or upload patterns. 4. Apply security patches or updates from campcodes as soon as they become available; if no official patch exists, consider temporary mitigations such as disabling the vulnerable upload feature or isolating the affected system. 5. Implement web application firewalls (WAF) with rules to detect and block attempts to exploit file upload vulnerabilities. 6. Conduct regular security assessments and penetration testing focused on file upload functionalities. 7. Educate administrators about the risks of uploading files and encourage secure handling of credentials and sessions.