CVE-2024-10410

MEDIUM

Online Hotel Reservation System 1.0 - Unrestricted File Upload via Image Parameter in Room Add Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-10410. PoCs published by K1nakoo.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-10410, an arbitrary file upload vulnerability in the Online Hotel Reservation System. The vulnerability allows remote attackers to bypass image validation by prepending a GIF header to malicious PHP code, leading to remote code execution (RCE).

Description

A vulnerability classified as critical was found in SourceCodester Online Hotel Reservation System 1.0. Affected by this vulnerability is the function upload of the file /admin/mod_room/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Exploits (1)

nomisec WRITEUP

by K1nakoo · poc

https://github.com/K1nakoo/CVE-2024-10410

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-10410, an arbitrary file upload vulnerability in the Online Hotel Reservation System. The vulnerability allows remote attackers to bypass image validation by prepending a GIF header to malicious PHP code, leading to remote code execution (RCE).

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Online Hotel Reservation System in PHP/MySQLi

No auth needed

Prerequisites: Access to the target system's upload endpoint · Ability to craft a malicious file with a GIF header

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.281953

Permissions Required, Third Party Advisory, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.281953

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.431502

Exploit, Third Party Advisory exploit

https://github.com/K1nako0/tmp_vuln9/blob/main/README.md

View Exploit ZIP pw:eip

Product product

https://www.sourcecodester.com/

Scores

CVSS v3 6.3

EPSS 0.0109

EPSS Percentile 61.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

janobe/online_hotel_reservation_system 1.0

Published Oct 27, 2024

Tracked Since Feb 18, 2026