Primary

Context

PhreeBooks ERP Arbitrary File Upload Vulnerability in Image Manager Component

Vulnerability

An arbitrary file upload vulnerability has been identified in PhreeBooks ERP version 5.2.3, specifically within the Image Manager component. This vulnerability allows authenticated attackers to upload malicious files by sending requests to the image upload endpoint. Exploitation involves uploading PHP files through the 'imgFile' parameter to the 'bizuno/image/manager' endpoint, which can then be executed via the 'bizunoFS.php' script, leading to remote code execution.

Impact

Successful exploitation of this vulnerability allows for remote code execution on the server where PhreeBooks ERP is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user must access the Image Manager component. Once there, PHP files can be uploaded by selecting the 'imgFile' parameter and submitting the form. After the file is uploaded, it can be executed by accessing the 'bizunoFS.php' script with the appropriate parameters to trigger the uploaded file.

Added: Mar 24, 2026, 12:38 PM

Updated: Mar 24, 2026, 12:38 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

10.0

exploitability

6.6

remediation

0.0

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

10.0

exploitability

6.6

remediation

0.0

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PhreeBooks ERP Arbitrary File Upload Vulnerability in Image Manager Component

Vulnerability

Impact

Reproduction

Affected Products

PhreeBooks ERP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating