CVE-2019-25630 — HIGH (8.8)

Vulnerability Description

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Phreesoft	Phreebookserp	5.2.3

Related Weaknesses (CWE)

CWE-434

References

https://sourceforge.net/projects/phreebooks/files/latest/downloadProduct
https://www.exploit-db.com/exploits/46644ExploitThird Party AdvisoryVDB Entry
https://www.phreesoft.com/Product
https://www.vulncheck.com/advisories/phreebooks-erp-arbitrary-file-upload-via-imThird Party Advisory

FAQ

What is CVE-2019-25630?

CVE-2019-25630 is a vulnerability with a CVSS score of 8.8 (HIGH). PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image up...

How severe is CVE-2019-25630?

CVE-2019-25630 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25630?

Check the references section above for vendor advisories and patch information. Affected products include: Phreesoft Phreebookserp.