CVE-2021-36622

CRITICAL

Online Covid Vaccination Scheduler System - Unrestricted File Upload

Title source: rule

Description

Sourcecodester Online Covid Vaccination Scheduler System 1.0 is affected vulnerable to Arbitrary File Upload. The admin panel has an upload function of profile photo accessible at http://localhost/scheduler/admin/?page=user. An attacker could upload a malicious file such as shell.php with the Content-Type: image/png. Then, the attacker have to visit the uploaded profile photo to access the shell.

Exploits (1)

exploitdb WORKING POC

by faisalfs10x · pythonwebappsphp

https://www.exploit-db.com/exploits/50114

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/50114

Scores

CVSS v3 9.8

EPSS 0.0041

EPSS Percentile 61.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

online_covid_vaccination_scheduler_system_project/online_covid_vaccination_scheduler_system 1.0

Published Aug 03, 2021

Tracked Since Feb 18, 2026