CVE-2019-25647

Published: Mar 24, 2026 Last Modified: Mar 24, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 8,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them to establish reverse shell connections and execute system commands.

434

Unrestricted Upload of File with Dangerous Type

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: ASP.NET, Not Language-Specific, PHP

Technologies: Web Server

Likelihood of Exploit: Medium

View CWE Details

https://sourceforge.net/projects/phreebooks/

https://sourceforge.net/projects/phreebooks/

https://www.exploit-db.com/exploits/46645

https://www.exploit-db.com/exploits/46645

https://www.phreesoft.com/

https://www.phreesoft.com/

https://www.vulncheck.com/advisories/phreebooks-erp-remote-…

https://www.vulncheck.com/advisories/phreebooks-erp-remote-code-execution-via-i…