Campcodes Sales and Inventory System File Upload Vulnerability Allowing Unrestricted Uploads

A critical file upload vulnerability has been identified in Campcodes Sales and Inventory System version 1.0. The issue resides in the file '/pages/product.php', where the 'Picture' argument can be manipulated to allow unrestricted file uploads. This vulnerability can be exploited remotely, potentially leading to the upload of malicious files that could be executed within the application's environment.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious files that are processed by the application, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, upload a file through the '/pages/product.php' interface. The application does not properly sanitize or filter the uploaded files, allowing for the upload of dangerous file types. Once uploaded, the file can be accessed through the application, demonstrating the successful exploitation of the vulnerability.