CVE-2021-47936
CriticalSummary
OpenCATS version 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
Risk Assessment
This vulnerability poses a significant risk to organizations, allowing attackers to execute remote code, which can lead to system takeover. Unsecured applications may be exposed to various attacks, including data theft and resource destruction.
Recommendation
It is recommended to update OpenCATS to the latest version that addresses this vulnerability. Additionally, implement security measures such as scanning uploaded files and restricting allowed attachment types.
Original NVD description (English source)
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

