Primary

Context

WebTareas File Upload Vulnerability Leading to Authenticated Remote Code Execution

Vulnerability

A file upload vulnerability allowing authenticated users to upload malicious PHP files has been identified in WebTareas version 2.4. This vulnerability arises from the chat photo upload feature, where uploaded files are stored in the '/files/Messages/' directory. Once the PHP files are uploaded, they can be executed directly via the generated file path, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where WebTareas is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a PHP file containing arbitrary code through the chat photo upload functionality. The uploaded file will be saved in the '/files/Messages/' directory. After the upload, the file can be accessed via its generated file path, executing the contained code on the server.

Added: Dec 22, 2025, 10:45 PM

Updated: Dec 22, 2025, 10:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.6

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.6

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WebTareas File Upload Vulnerability Leading to Authenticated Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

WebTareas

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating