ZeroWdd Studentmanager Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in ZeroWdd Studentmanager version 1.0. This issue arises in the StudentController and TeacherController files, where the addStudent, editStudent, addTeacher, and editTeacher methods fail to properly restrict file extensions and content. As a result, malicious JSP and HTML files can be uploaded. However, uploaded JSP files cannot be accessed until the application is restarted.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, including potentially malicious JSP files, which could be executed on the server.

Reproduction

To reproduce this vulnerability, upload a JSP or HTML file using the affected methods in the StudentController or TeacherController. After uploading a JSP file, restart the application to access the file. HTML files can be accessed immediately after upload.