CVE-2019-20183
HIGH NUCLEIEmployee Records System 1.0 - Unauthenticated Arbitrary File Upload via Client-Side Extension Validation Bypass
Title source: llmExploitation Summary
CVE-2019-20183 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension.
Nuclei Templates (1)
Simple Employee Records System 1.0 - Unrestricted File Upload
HIGHby pikpikcu,j4vaovo
References (1)
Core 1
Core References
Various Sources x_refsource_misc
https://medium.com/%40Pablo0xSantiago/cve-2019-20183-employee-records-system-bypass-file-upload-to-rce-ea2653660b34
Scores
CVSS v3
7.2
EPSS
0.0700
EPSS Percentile
93.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
employee_records_system_project/employee_records_system
1.0
Published
Jan 09, 2020
Tracked Since
Feb 18, 2026