الثغرات ›

CVE-2026-11333

متوسط

CWE-284 — نوع الضعف

                    نُشر: Jun 5, 2026                      ·  آخر تحديث: Jun 8, 2026                      ·  المصدر: NVD                

CVSS v3

6.3

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboard_page/forms/upload_student_data.php of the component Student Data Upload Endpoint. Such manipulation of the argument Student-Data-CSV leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

🤖 ملخص AI

CVE-2026-11333 is a medium-severity unrestricted file upload vulnerability in tittuvarghese CollegeManagementSystem affecting the student data upload endpoint. The vulnerability allows remote attackers to upload arbitrary files by manipulating the Student-Data-CSV parameter, potentially leading to remote code execution or data compromise. No patch is currently available, and the project has not responded to the disclosure.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: Jun 5, 2026 20:16

🇸🇦 التأثير على المملكة العربية السعودية

This vulnerability poses significant risk to Saudi educational institutions using this system, particularly universities and colleges managing student records. Government education sector (Ministry of Education) and private educational institutions are at risk of data breach affecting student personal information, academic records, and potentially sensitive institutional data. Secondary impact includes potential compromise of institutional networks if RCE is achieved through malicious file uploads. Healthcare institutions using similar systems for student/staff management could also be affected.

🏢 القطاعات السعودية المتأثرة

Education - Universities and Colleges Government - Ministry of Education Healthcare - Medical institutions with student management Private Educational Institutions

🎯 تقنيات MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1434 - External Remote Services T1566 - Phishing T1204 - User Execution T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter T1083 - File and Directory Discovery T1005 - Data from Local System

⚖️ درجة المخاطر السعودية (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of tittuvarghese CollegeManagementSystem in your organization

2. Restrict access to dashboard_page/forms/upload_student_data.php to authorized administrators only using firewall/WAF rules

3. Implement IP whitelisting for the upload endpoint

4. Disable the student data upload functionality if not actively in use



COMPENSATING CONTROLS:

5. Implement strict file type validation at the application level (whitelist only .csv extension)

6. Configure web server to prevent execution of uploaded files (disable script execution in upload directories)

7. Implement antivirus scanning on all uploaded files before processing

8. Monitor upload directory for suspicious file modifications

9. Implement request signing/CSRF tokens for upload operations

10. Log all upload attempts with source IP, timestamp, and file details



DETECTION:

11. Monitor for POST requests to upload_student_data.php with unusual file extensions

12. Alert on file uploads larger than expected CSV size

13. Monitor for execution attempts from upload directories

14. Track failed authentication attempts to the upload endpoint

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نسخ نظام إدارة الكليات tittuvarghese في مؤسستك

2. تقييد الوصول إلى dashboard_page/forms/upload_student_data.php للمسؤولين المصرح لهم فقط باستخدام قواعد جدار الحماية

3. تطبيق قائمة بيضاء للعناوين IP لنقطة النهاية

4. تعطيل وظيفة تحميل بيانات الطلاب إذا لم تكن قيد الاستخدام النشط

الضوابط التعويضية:

5. تطبيق التحقق الصارم من نوع الملف على مستوى التطبيق (قائمة بيضاء بامتداد .csv فقط)

6. تكوين خادم الويب لمنع تنفيذ الملفات المحملة (تعطيل تنفيذ البرامج النصية في دلائل التحميل)

7. تطبيق فحص مكافحة الفيروسات على جميع الملفات المحملة قبل المعالجة

8. مراقبة دليل التحميل للتعديلات المريبة على الملفات

9. تطبيق توقيع الطلب/رموز CSRF لعمليات التحميل

10. تسجيل جميع محاولات التحميل مع عنوان IP المصدر والطابع الزمني وتفاصيل الملف

الكشف:

11. مراقبة طلبات POST إلى upload_student_data.php بامتدادات ملفات غير عادية

12. تنبيه على تحميلات الملفات الأكبر من حجم CSV المتوقع

13. مراقبة محاولات التنفيذ من دلائل التحميل

14. تتبع محاولات المصادقة الفاشلة لنقطة النهاية

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.1 - Access Control Policy A.6.2.1 - User Registration and De-registration A.7.1.1 - Physical and Environmental Security A.8.1.1 - Cryptography Policy A.9.1.1 - Incident Management A.10.1.1 - Business Continuity Management

🔵 SAMA CSF

Governance & Risk Management - Risk Assessment and Management Information & Cybersecurity - Data Protection and Privacy Information & Cybersecurity - Access Control Operational Resilience - Incident Management and Response Third-Party Risk Management - Vendor Security Assessment

🟡 ISO 27001:2022

A.5.1 - Management Direction for Information Security A.6.1 - Internal Organization A.6.2 - Mobile Device and Teleworking A.8.1 - User Endpoint Devices A.8.2 - Privileged Access Rights A.8.3 - Information Access Restriction A.12.2 - Restrictions on Software Installation A.12.6 - Management of Technical Vulnerabilities

🔗 المراجع والمصادر 6

🔗

https://github.com/tittuvarghese/CollegeManagementSystem/

cna@vuldb.com

🔗

https://github.com/tittuvarghese/CollegeManagementSystem/issues/2

cna@vuldb.com

🔗

https://vuldb.com/cve/CVE-2026-11333

cna@vuldb.com

🔗

https://vuldb.com/submit/832530

cna@vuldb.com

🔗

https://vuldb.com/vuln/368871

cna@vuldb.com

🔗

https://vuldb.com/vuln/368871/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — متوسط

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 حقائق سريعة

الخطورة متوسط

CVSS Score6.3

CWECWE-284

EPSS0.04%

اختراق متاح لا

تصحيح متاح ✗ لا

تاريخ النشر 2026-06-05

المصدر nvd

المشاهدات 2

🇸🇦 درجة المخاطر السعودية

6.8

/ 10.0 — مخاطر السعودية

أولوية: HIGH

🏷️ الوسوم

CWE-284

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-11333

عرّفنا بنفسك

تسجيل الدخول مطلوب