{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/notrinos/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NotrinosERP (\u003c= 1.0.0)"],"_cs_severities":["high"],"_cs_tags":["web-application","remote-code-execution","file-upload","php","notrinos"],"_cs_type":"advisory","_cs_vendors":["Notrinos"],"content_html":"\u003cp\u003eAn authenticated remote code execution vulnerability exists in NotrinosERP versions up to and including 1.0.0. An attacker with the HR \u0026quot;Manage Employees\u0026quot; permission (\u003ccode\u003eSA_EMPLOYEE\u003c/code\u003e) can exploit this by uploading a file with an arbitrary extension, such as a \u003ccode\u003e.php\u003c/code\u003e web shell, through the employee \u0026quot;Documents\u0026quot; tab. The \u003ccode\u003etab_documents()\u003c/code\u003e function in \u003ccode\u003ehrm/manage/employees.php\u003c/code\u003e fails to validate file extensions, MIME types, or content, directly storing the client-supplied filename in a web-accessible directory. This allows the attacker to execute arbitrary commands on the server by navigating to the newly uploaded web shell. The vulnerability also includes a stored Cross-Site Scripting (CWE-79) sink due to unescaped file paths, and potential path traversal (CWE-22) on certain PHP builds. This threat enables attackers to gain control over the hosting server, posing a significant risk to data integrity and system availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication and Initial Access\u003c/strong\u003e: An attacker obtains valid credentials for a NotrinosERP user account with the \u003ccode\u003eSA_EMPLOYEE\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCSRF Token Retrieval\u003c/strong\u003e: The attacker logs into NotrinosERP and navigates to the HRM employee \u0026quot;Documents\u0026quot; tab (\u003ccode\u003e/hrm/manage/employees.php?_tabs_sel=tab_documents\u003c/code\u003e) to obtain a valid CSRF token (\u003ccode\u003e_token\u003c/code\u003e) from the HTML response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious File Upload Request\u003c/strong\u003e: The attacker crafts a multipart \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/hrm/manage/employees.php\u003c/code\u003e including the obtained CSRF token, a valid \u003ccode\u003edoc_type_id\u003c/code\u003e, and a malicious PHP file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) containing a web shell payload (e.g., \u003ccode\u003e\u0026lt;?php system($_GET['c']); ?\u0026gt;\u003c/code\u003e) in the \u003ccode\u003edoc_file\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Write\u003c/strong\u003e: Due to a lack of validation in the \u003ccode\u003etab_documents()\u003c/code\u003e function, NotrinosERP stores the malicious PHP file with its original \u003ccode\u003e.php\u003c/code\u003e extension verbatim in a web-accessible directory, typically \u003ccode\u003ecompany/0/documents/employees/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell URL Discovery\u003c/strong\u003e: The system echoes the exact path to the uploaded file into a clickable \u0026quot;View\u0026quot; link in the employee \u0026quot;Documents\u0026quot; tab, allowing the attacker to discover the web shell's URL (e.g., \u003ccode\u003e/company/0/documents/employees/1_\u0026lt;unix_ts\u0026gt;_shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to the discovered web shell URL, passing OS commands as a parameter (e.g., \u003ccode\u003e?c=id\u003c/code\u003e or \u003ccode\u003e?c=whoami\u003c/code\u003e), which are then executed by the web server on the underlying operating system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in full remote code execution (RCE) on the server hosting NotrinosERP. This allows an authenticated attacker, holding the \u003ccode\u003eSA_EMPLOYEE\u003c/code\u003e role (which may not be an administrator role by default), to compromise the entire system. The impact includes unauthorized access to sensitive data, potential data exfiltration, modification or deletion of critical information, and the ability to establish persistent access. The vulnerability also exposes the system to secondary issues like stored Cross-Site Scripting (XSS), which could impact other users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect NotrinosERP Web Shell Upload Attempt\u0026quot; to your SIEM to identify suspicious multipart file uploads.\u003c/li\u003e\n\u003cli\u003eImplement robust file upload validation at the web server level, specifically blocking executable extensions like \u003ccode\u003e.php\u003c/code\u003e in the \u003ccode\u003e/company/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eEnsure web server logs for your NotrinosERP instance include \u003ccode\u003erequest_body\u003c/code\u003e content for HTTP POST requests to facilitate detection of malicious payloads.\u003c/li\u003e\n\u003cli\u003eApply available patches for NotrinosERP to address arbitrary file upload vulnerabilities. The suggested fix involves not using client filenames, enforcing extension/MIME allow-lists, and storing uploads outside the web root.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eSA_EMPLOYEE\u003c/code\u003e role permissions to only trusted personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:39:35Z","date_published":"2026-07-10T19:39:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-notrinos-erp-rce/","summary":"An authenticated user with the 'SA_EMPLOYEE' permission in NotrinosERP can upload arbitrary files, including PHP web shells, through the HRM employee 'Documents' tab, leading to remote code execution due to a lack of extension, MIME, or content validation.","title":"NotrinosERP Authenticated Arbitrary File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-notrinos-erp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Notrinos","version":"https://jsonfeed.org/version/1.1"}