Login Sign Up

CVE-2021-46079

7.2 HIGH

📋 TL;DR

An Unrestricted File Upload vulnerability in Vehicle Service Management System 1.0 allows remote attackers to upload malicious files containing HTML injection payloads. This affects all deployments of the vulnerable software version. Attackers can execute arbitrary HTML/JavaScript in victim browsers.

💻 Affected Systems

Products:
  • Sourcecodester Vehicle Service Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of version 1.0 regardless of configuration.

📦 What is this software?

Vehicle Service Management System by Vehicle Service Management System Project

View all CVEs affecting Vehicle Service Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via HTML injection leading to session hijacking, credential theft, or further exploitation through chained attacks.

🟠

Likely Case

HTML injection leading to defacement, phishing attacks, or limited data exfiltration from user sessions.

🟢

If Mitigated

No impact if file uploads are properly validated and sanitized.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates file upload without authentication. Simple exploitation requiring only web access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement File Upload Validation

all

Add server-side validation to restrict file uploads to allowed types and sanitize content.

Web Application Firewall Rules

all

Configure WAF to block malicious file uploads and HTML injection attempts.

🧯 If You Can't Patch

  • Disable file upload functionality entirely in the application.
  • Implement network segmentation to isolate the vulnerable system from critical assets.

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a file with HTML/JavaScript content to the file upload endpoint. If accepted without validation, system is vulnerable.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Test file upload with malicious content; it should be rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads, especially with .html/.htm extensions or suspicious content patterns.

Network Indicators:

  • HTTP POST requests to upload endpoints with unusual file types or sizes.

SIEM Query:

source="web_server" AND (method="POST" AND uri="*upload*" AND (file_extension="html" OR file_extension="htm"))

📊 Metadata

CVE ID: CVE-2021-46079
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: January 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46079, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)