An unauthenticated remote code execution vulnerability in OpenCATS allows attackers to gain full control of the server via malicious file uploads disguised as resumes.

This is a remote code execution vulnerability occurring at the careers job application endpoint. Unauthenticated attackers can upload PHP files disguised as resume attachments and execute them by accessing the file path directly.

The CVSS score of 9.8 highlights the critical danger of this vulnerability. Successful exploitation permits attackers to execute system commands, potentially leading to a complete compromise of the underlying host server and access to the applicant database.

Immediate Action: Update OpenCATS to the latest version that enforces strict file validation and prevents the execution of uploaded files.

Proactive Monitoring: Check the upload directories for any unexpected PHP files and monitor server access logs for requests targeting these files.

Compensating Controls: Configure the web server to disable script execution in the directory where user-submitted files are stored.

Public Exploit Available: Unknown

Remote code execution is among the most severe security risks. Organizations using OpenCATS must apply updates immediately to prevent unauthorized command execution on their servers.