ZeroWdd Studentmanager Unrestricted File Upload Vulnerability in TeacherController

A critical vulnerability allowing unrestricted file uploads has been identified in ZeroWdd Studentmanager version 1.0. The issue resides in the TeacherController, specifically within the addTeacher and editTeacher functions. This vulnerability allows the upload of files with dangerous extensions, such as JSP and HTML, which can be processed by the application. Although the uploaded files are initially inaccessible and require a system restart to be accessed, this flaw could still be exploited remotely.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious files that are executed or processed by the application, potentially leading to further attacks or exploitation.

Reproduction

To reproduce this vulnerability, upload a file with a JSP or HTML extension using the addTeacher or editTeacher functions in the TeacherController. After uploading, restart the application to access the file. The uploaded files will be located in the 'src/main/resources/static/upload/imgs' directory.