CVE-2025-58048
Paymenter vulnerable to Remote Code Execution via public file uploads
描述
### Impact The ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary files. With the ability to execute arbitrary code, this vulnerability can be exploited in numerous ways, including but not limited to: - Extracting sensitive data from the database (e.g. customer information). - Reading credentials from .env or other configuration files. - Running arbitrary system commands under the web server user context. This issue is Critical as it allows a low-privilege authenticated user to fully compromise the application and underlying server. ### Patches This vulnerability was patched by https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b and was released under the [v1.2.11](https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11) tag without any other code modifications compared to v1.2.10. ### Work arounds If upgrading is not immediately possible, administrators can mitigate this vulnerability with one or more of the following measures: - Updating nginx config to download attachments instead of executing them: ``` location ^~ /storage/ { types { } default_type application/octet-stream; add_header X-Content-Type-Options nosniff; try_files $uri =404; } ``` - Disallow access to /storage/ fully using a WAF such as Cloudflare These workarounds significantly reduce risk, but the only guaranteed resolution is upgrading to v1.2.11 or later.
如何修補 CVE-2025-58048
要修補 CVE-2025-58048,請將受影響套件升級到下列已修補版本。
- —升級至 1.2.11 或更新版本
CVE-2025-58048 正在被利用嗎?
目前沒有被利用訊號。CVE-2025-58048 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 1.2.11