An issue exists in tramyardg autoexpress version 1.3.0, allows unauthenticated remote malicious users to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.
Tramyardg Autoexpress version 130 allows for authentication bypass via unauthenticated API access to admin functionality This could allow a remote anonymous attacker to delete or update vehicles as well as upload images for vehicles ...