Executive Summary
A critical remote code execution vulnerability (CVE-2021-47936) has been identified in OpenCATS 0.9.4, an open-source applicant tracking system (ATS) widely deployed by HR teams and recruiting departments. The flaw carries a CVSS score of 9.8 and requires no authentication to exploit.
Attackers can upload a malicious PHP file disguised as a resume attachment through the public-facing careers job application endpoint. Once the file lands on the server, it can be directly requested to trigger arbitrary command execution under the web server's process context.
Organizations running OpenCATS 0.9.4 or earlier should apply vendor patches immediately or take the instance offline if an unpatched upgrade path is unavailable.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-47936 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-434 — Unrestricted Upload of File with Dangerous Type |
| Type | Remote Code Execution via File Upload |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — apply latest OpenCATS release |
Affected Versions
| Product | Affected Versions | Status |
|---|---|---|
| OpenCATS | 0.9.4 and earlier | Vulnerable |
| OpenCATS | Patched releases | Fixed |
Technical Analysis
Root Cause
OpenCATS 0.9.4's public career portal allows job applicants to submit resumes as file attachments. The server-side file validation fails to adequately restrict the type or content of uploaded files, allowing an attacker to upload files with .php extensions or MIME types that execute as PHP on the server.
The uploaded file is stored in a web-accessible directory, and the attacker can retrieve the file via a direct HTTP request to trigger execution.
Attack Flow
1. Attacker identifies an OpenCATS instance with a public careers/jobs endpoint
2. Attacker crafts a malicious PHP file (e.g., webshell.php) with arbitrary OS commands
3. Attacker submits a job application via the careers endpoint:
- Attaches the .php payload as a "resume" file
- The server accepts the file without enforcing extension or content-type restrictions
4. Attacker determines or guesses the upload destination path
5. Attacker issues an HTTP GET request to the uploaded PHP file URL
6. PHP interpreter executes the payload — attacker achieves RCE under web server context
7. Attacker can now read files, pivot to the database, create backdoors, or escalate privilegesExploitation Conditions
- Target must run OpenCATS 0.9.4 or earlier with the careers module active
- The upload directory must be web-accessible (default configuration)
- No authentication required — the careers portal is intended to be publicly accessible
- Minimal technical skill required; a simple PHP webshell is sufficient
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary OS commands executed as the web server user |
| Database Compromise | Direct access to candidate PII, HR data, credentials |
| Webshell Persistence | Attacker can install persistent backdoors |
| Server Pivoting | Lateral movement to internal network resources |
| Data Exfiltration | All application data accessible, including uploaded resumes |
| Full System Takeover | Potential privilege escalation to root depending on server config |
Immediate Remediation
Step 1: Patch or Upgrade OpenCATS
Update to the latest OpenCATS release that addresses CVE-2021-47936. Review the official OpenCATS GitHub repository for patched releases and release notes.
# Check current OpenCATS version
grep -r "APP_VERSION" /path/to/opencats/config.php
# Review available releases
# https://github.com/opencats/OpenCATS/releasesStep 2: Restrict the Upload Directory
If an immediate patch is not possible, prevent PHP execution in the upload directory:
# Apache — add to .htaccess in the upload directory
<Directory "/path/to/opencats/upload">
php_flag engine off
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .php5 .phtml .pl .py .jsp .asp .sh .cgi
RemoveHandler .php
SetHandler default-handler
</Directory># Nginx — deny PHP execution in upload paths
location ~* /upload/.*\.php$ {
deny all;
return 404;
}Step 3: Audit for Compromise
# Search for PHP files in upload directories (likely webshells)
find /path/to/opencats/upload/ -name "*.php" -type f
# Check recently uploaded files for suspicious content
find /path/to/opencats/upload/ -newer /path/to/opencats/index.php -type f
# Grep for common webshell indicators
grep -r "system\|exec\|passthru\|shell_exec\|popen\|base64_decode" /path/to/opencats/upload/
# Review web server access logs for unusual POST requests to careers endpoints
grep "POST.*careers\|POST.*upload" /var/log/apache2/access.log | tail -100Step 4: Validate File Uploads at the Application Level
For organizations patching or developing custom ATS solutions:
// Example: server-side MIME and extension validation
$allowed_types = ['application/pdf', 'application/msword',
'application/vnd.openxmlformats-officedocument.wordprocessingml.document'];
$allowed_extensions = ['pdf', 'doc', 'docx'];
$file_ext = strtolower(pathinfo($_FILES['resume']['name'], PATHINFO_EXTENSION));
$file_mime = mime_content_type($_FILES['resume']['tmp_name']);
if (!in_array($file_mime, $allowed_types) || !in_array($file_ext, $allowed_extensions)) {
die('Invalid file type. Only PDF, DOC, and DOCX are accepted.');
}Detection Indicators
| Indicator | Description |
|---|---|
| PHP files in upload directory | Webshells or backdoors planted post-exploitation |
POST requests to careers/upload endpoints with .php payloads | Active exploitation attempt |
| Unexpected outbound connections from web server process | Reverse shell or data exfiltration |
| Database queries executed from web process user | Evidence of RCE being used for DB access |
| New files in web root with random names | Uploaded persistence mechanisms |
Post-Remediation Checklist
- Update OpenCATS to the latest patched version
- Block PHP execution in all upload-accessible directories via web server config
- Audit all files in the upload directory for PHP or script payloads
- Review access logs for evidence of prior exploitation (POST to careers/upload)
- Rotate all credentials stored in or accessible from the application (DB, SMTP, etc.)
- Scan for webshells using a file integrity monitor or dedicated scanner
- Restrict web server permissions — run as a dedicated non-privileged user
- Enable WAF rules targeting file upload abuse (OWASP CRS)
- Segment the ATS from internal HR/IT systems if not already done
- Monitor for re-exploitation with alerts on new files in upload directories