Guzrex

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions prior to 2025.81 **Description** An authenticated unrestricted file upload issue exists in the product image upload functionality. An attacker with valid credentials can bypass MIME type validation by prepending GIF89a magic bytes to a PHP file, causing the system to incorrectly identify it as an image. The vulnerability is located in the `addImageAction()` function within `Core/Lib/ExtendedController/ProductImagesTrait.php`. Because the system saves files using their original names, an attacker can upload executable files with extensions such as `.php` to a web-accessible directory, potentially leading to remote code execution. **Recommendations** For versions prior to 2025.81, implement the following measures: - Validate file extensions to reject any upload ending in `.php`, `.phtml`, `.phar`, or other executable extensions. - Re-generate filenames on the server using a safe UUID-based name instead of using `getClientOriginalName()`. - Store uploaded files outside the webroot and serve them through a controller to prevent direct URL execution. - Use a file type library to validate actual file content, including magic bytes, extensions, and MIME types, rather than trusting client-supplied data. - As a temporary workaround, restrict access to the `addImageAction()` function or the `Core/Lib/ExtendedController/ProductImagesTrait.php` component to minimize the risk of exploitation.