PhreeBooks ERP 5.2.3 Arbitrary File Upload via Image Manager

Advisories

PhreeBooks ERP 5.2.3 Arbitrary File Upload via Image Manager

severity: high
date: 3/24/2026
Affecting: PhreeBooks ERP <= 5.2.3
CVE: CVE-2019-25630
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-46644
Official Product Homepage
Product Reference
Credit: Abdullah Çelebi
Description: PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the bizuno/image/manager endpoint and execute them via the bizunoFS.php script for remote code execution.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo