CVE-2025-7477 is a vulnerability identified in version 1.0 of the Simple Car Rental System developed by code-projects. The vulnerability is classified as an unrestricted file upload issue located in the /admin/add_cars.php endpoint, specifically involving the manipulation of the 'image' parameter. This flaw allows an attacker to upload arbitrary files without proper validation or restrictions. The vulnerability can be exploited remotely without user interaction or authentication, as indicated by the CVSS vector, although the presence of 'PR:H' (privileges required: high) suggests that some level of elevated privileges is necessary to exploit it. The CVSS 4.0 base score is 5.1, categorizing it as medium severity. The unrestricted upload can lead to the execution of malicious code on the server, potentially compromising confidentiality, integrity, and availability of the system. However, the impact is limited by the requirement for high privileges, which reduces the ease of exploitation by unauthenticated attackers. No public exploits are currently known in the wild, and no patches have been published yet. The vulnerability affects only version 1.0 of the product, which is a niche application used for car rental management. The lack of authentication or user interaction required for the attack vector is mitigated by the high privilege requirement, indicating that the attacker must already have significant access to the system to exploit this vulnerability. This vulnerability highlights the importance of secure file upload handling, including validation of file types, sizes, and proper access controls in administrative functionalities.

For European organizations using the Simple Car Rental System 1.0, this vulnerability poses a moderate risk. If exploited, attackers with high privileges could upload malicious files, potentially leading to server compromise, data leakage, or disruption of rental services. This could affect the confidentiality of customer data, integrity of rental records, and availability of the service. Given the niche nature of the software, the overall impact on the broader European market is limited. However, individual car rental companies relying on this system could face operational disruptions and reputational damage. The requirement for high privileges to exploit the vulnerability reduces the likelihood of external attackers exploiting it directly, but insider threats or attackers who have already gained elevated access could leverage this vulnerability to escalate their control or maintain persistence. Compliance with European data protection regulations such as GDPR could be impacted if customer data is compromised due to this vulnerability.

Organizations should immediately assess whether they are using Simple Car Rental System version 1.0 and restrict access to the /admin/add_cars.php endpoint to trusted administrators only. Implement strict file upload validation controls, including whitelisting allowed file types, enforcing file size limits, and scanning uploaded files for malware. Employ web application firewalls (WAFs) to detect and block suspicious upload attempts. Monitor administrative accounts for unusual activity to detect potential exploitation. Since no official patch is currently available, consider isolating the affected system within the network to limit exposure. Additionally, review and harden privilege management to ensure that only necessary personnel have high-level access. Regularly back up critical data and test restoration procedures to mitigate potential data loss. Finally, stay informed on vendor updates or patches addressing this vulnerability and apply them promptly once released.