CVE-2019-25647
CVE-2019-25647
8.7
HighPublished:
Last updated:
Source:disclosure@vulncheck.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- Low
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them to establish reverse shell connections and execute system commands.
References
disclosure@vulncheck.com
https://sourceforge.net/projects/phreebooks/disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46645disclosure@vulncheck.com
https://www.phreesoft.com/disclosure@vulncheck.com
https://www.vulncheck.com/advisories/phreebooks-erp-remote-code-execution-via-image-manager