<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Paymenter (&lt; 1.2.11) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/paymenter--1.2.11/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:08:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/paymenter--1.2.11/feed.xml" rel="self" type="application/rss+xml"/><item><title>Paymenter vulnerable to Remote Code Execution via public file uploads</title><link>https://feed.craftedsignal.io/briefs/2026-07-paymenter-rce-file-upload/</link><pubDate>Fri, 03 Jul 2026 11:08:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-paymenter-rce-file-upload/</guid><description>A critical remote code execution (RCE) vulnerability, CVE-2025-58048, in Paymenter's ticket attachments functionality allows an authenticated, low-privileged user to upload arbitrary files, leading to full compromise of the application and underlying server, enabling attackers to extract sensitive data, read credentials, and execute arbitrary system commands.</description><content:encoded><![CDATA[<p>A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-58048, has been identified in Paymenter, a billing and client management software. This flaw specifically impacts the ticket attachments functionality, allowing a malicious authenticated user with low privileges to upload arbitrary files to the server. These files, when placed in a publicly accessible directory and subsequently executed due to improper web server configuration, grant attackers full control over the application and the underlying server. Exploitation enables malicious actors to extract sensitive data, including customer information from the database, read credentials from configuration files such as <code>.env</code>, and execute arbitrary system commands under the context of the web server user. The vulnerability is present in versions prior to v1.2.11 and was patched in commit <code>87c3db42282ada1e3cda54b9a01f846926c0669b</code>, released as v1.2.11.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated, low-privileged user logs into the Paymenter application and accesses the ticket attachments functionality.</li>
<li>The attacker crafts and uploads a malicious file, such as a webshell (e.g., <code>shell.php</code>), masquerading it as a legitimate attachment.</li>
<li>The Paymenter application processes the upload and stores the malicious file in a publicly accessible directory, typically <code>/storage/</code>.</li>
<li>The attacker then directly accesses the uploaded malicious file (e.g., <code>https://[paymenter_domain]/storage/shell.php</code>) via a web browser or automated tool.</li>
<li>Due to an insecure web server configuration (e.g., Nginx serving <code>/storage/</code> files without forcing a download), the server executes the malicious file instead of serving it as static content.</li>
<li>The executed webshell grants the attacker Remote Code Execution (RCE) capabilities under the web server's user context.</li>
<li>Leveraging RCE, the attacker extracts sensitive data from the database, reads credentials from configuration files (e.g., <code>.env</code>), or executes arbitrary system commands to further compromise the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability is deemed Critical as it allows a low-privilege authenticated user to fully compromise the Paymenter application and its underlying server. If exploited, attackers can gain unauthorized access to sensitive customer information stored in the database, pilfer critical credentials from <code>.env</code> or other configuration files, and execute arbitrary system commands. This level of access permits complete control over the affected system, enabling data exfiltration, further lateral movement, and potential disruption of services. While specific victim counts are not available, any Paymenter installation running a vulnerable version is at risk, particularly those that handle customer data and payments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2025-58048 immediately:</strong> Upgrade Paymenter to version v1.2.11 or later as described in the patches section of this brief.</li>
<li><strong>Apply Nginx mitigation:</strong> If immediate upgrade is not possible, implement the provided Nginx configuration to force downloads for files in the <code>/storage/</code> directory, preventing their execution as described in the content section.</li>
<li><strong>Deploy WAF controls:</strong> Utilize a Web Application Firewall (WAF) to disallow direct access to the <code>/storage/</code> directory, as mentioned in the workaround section, until the patch can be applied.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>remote-code-execution</category><category>web-application</category><category>php</category><category>critical-vulnerability</category><category>file-upload</category><category>webshell</category></item></channel></rss>