CRITICAL🇵🇱 Wersja polska

CVE-2023-5636

CVSS 9.8v3.1pub. 2023-12-01upd. 2026-05-20

Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Command Injection. This issue affects Education Portal: before v1.1.

🤖 AI Analysis
How it works

The vulnerability mechanism (CWE-434) consists of a lack of proper file type verification on the server side. An attacker can send a file containing malicious code (e.g., webshell) without needing to authenticate. After placing such a file on the server, it is possible to trigger command injection — execution of arbitrary commands in the context of the web server process.

Impact

An attacker gains the ability to remotely execute arbitrary commands on the server (RCE), which may result in complete system takeover, data theft, and violation of the integrity and availability of the entire platform.

Mitigation & patch

ArslanSoft Education Portal must be immediately updated to version v1.1 or newer. Details are available in the manufacturer's references and the TR-23-0670 message published by USOM.

Who is affected

ArslanSoft Education Portal in all versions before v1.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Arslansoft Education Portal Project Arslansoft Education Portal

    APP
    Arslansoft Education Portal Project
    < 1.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-5634CRITICAL9.8PL ✓ten sam produkt

SQL Injection w ArslanSoft Education Portal — krytyczna podatność

CVE-2023-5635HIGH7.5ten sam produkt

Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ArslanSoft Education Portal...

CVE-2023-5637HIGH7.5ten sam produkt

Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Read Sensi...