CVE-2018-12054

HIGH NUCLEI

PHP Scripts Mall Schools Alert Mgt - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-12054. PoCs published by M3@Pandas. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file read vulnerability in Schools Alert Management Script via path traversal in the 'img.php' endpoint. The PoC shows how to read '/etc/passwd' by manipulating the 'f' parameter.

Description

Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.

Exploits (1)

exploitdb WORKING POC

by M3@Pandas · textwebappsphp

https://www.exploit-db.com/exploits/44874

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file read vulnerability in Schools Alert Management Script via path traversal in the 'img.php' endpoint. The PoC shows how to read '/etc/passwd' by manipulating the 'f' parameter.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Schools Alert Management Script

No auth needed

Prerequisites: Network access to the vulnerable web application

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Schools Alert Management Script - Arbitrary File Read

HIGHby wisnupramoedya

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/unh3x/just4cve/issues/4

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44874/

Scores

CVSS v3 7.5

EPSS 0.3939

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

schools_alert_management_script_project/schools_alert_management_script

Published Jun 08, 2018

Tracked Since Feb 18, 2026