Crafter · Crater · CVE-2023-46865
**Name of the Vulnerable Software and Affected Versions**
crater versions 6.0.0 through 6.0.6
**Description**
The issue allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo image, specifically through the "/api/v1/company/upload-logo" endpoint in CompanyController.php.
**Recommendations**
For versions 6.0.0 through 6.0.6, as a temporary workaround, consider disabling the "/api/v1/company/upload-logo" endpoint until a patch is available.
Restrict access to the CompanyController.php module to minimize the risk of exploitation.
Avoid using the image upload functionality in the affected API endpoint until the issue is resolved.