CVE-2020-28136

HIGH

Tourism Management System 1.0 - Unauthenticated Arbitrary File Upload via Admin Create Package

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28136. PoCs published by Ankita Pal.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in Tourism Management System 1.0, allowing an attacker to upload a malicious PHP file via a multipart form request. The uploaded file can execute arbitrary PHP code, leading to remote code execution (RCE).

Description

An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the user to conduct remote code execution via admin/create-package.php vulnerable page.

Exploits (1)

exploitdb WORKING POC

by Ankita Pal · textwebappsphp

https://www.exploit-db.com/exploits/48892

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in Tourism Management System 1.0, allowing an attacker to upload a malicious PHP file via a multipart form request. The uploaded file can execute arbitrary PHP code, leading to remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tourism Management System 1.0

Auth required

Prerequisites: Access to the admin panel · Valid session cookie (PHPSESSID)

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://phpgurukul.com/tourism-management-system-free-download/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48892

Scores

CVSS v3 8.8

EPSS 0.0294

EPSS Percentile 85.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

phpgurukul/tourism_management_system 1.0

Published Nov 17, 2020

Tracked Since Feb 18, 2026