Tourism Management System 2.0 - Arbitrary Shell Upload



EKU-ID: 56293 CVE: CVE-2025-57642 OSVDB-ID:
Author: Debug Security Published: 2025-09-16 Verified: Not Verified
Download:

Rating

☆☆☆☆☆
Home 


# Exploit Title: Tourism Management System 2.0 - Arbitrary Shell Upload
# Date: 2025-10-09
# Exploit Author: Debug Security
# Vendor Homepage: https://kodcloud.com/
# Software Link: https://github.com/sohamjuhin/Tourism-Management-System
# Version: v2.0
# Tested on: Windows 11, PHP 8.2.4, Apache 2.4.56
# CVE: CVE-2025-57642
# Reference: https://github.com/debug-security/CVE/tree/main/CVE-2025-57642


*Description:*A Shell Upload vulnerability in Tourism Management System 2.0
could allow an attacker to upload and execute malicious shell scripts on
the server. This can lead to unauthorized access or control over the
system, compromising sensitive data and functionality.

*Version: *2.0

*Steps to Reproduce:*
1. At first visit this url http://target.com/index.php?user/login&link=.
2. Then use any malicious url in link parameter.
3. your link will be look like:
http://target.com/index.php?user/login&link=https://{site}.com
4. login your account and you will redirect to malicious url.