GHSA-qv4m-m73m-8hj7: Authenticated Arbitrary File Upload leading to Remote Code Execution in NotrinosERP
Vulnerability ID: GHSA-QV4M-M73M-8HJ7
CVSS Score: 8.8
Published: 2026-07-10
An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.
TL;DR
Authenticated users with SA_EMPLOYEE permissions in NotrinosERP versions up to and including 1.0.0 can upload arbitrary PHP scripts via the employee document upload interface, resulting in remote code execution.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-434, CWE-79, CWE-22
- Attack Vector: Network
- CVSS Severity: 8.8 (High)
- EPSS Score: N/A
- Impact: Remote Code Execution (RCE)
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- NotrinosERP Human Resource Management (HRM) module
-
NotrinosERP: <= 1.0.0 (Fixed in:
None)
Exploit Details
- GitHub Security Advisory: Advisory text containing full validation and reproduction steps for the file upload RCE vulnerability.
Mitigation Strategies
- Randomize upload filenames using server-generated UUIDs or unique hashes without executable extensions.
- Implement a strict allow-list of safe, non-executable document extensions (e.g., PDF, DOCX, PNG, JPG).
- Perform backend MIME-type validation of file contents using PHP's Fileinfo extension instead of relying on the user-supplied HTTP Content-Type header.
- Disable execution of scripts within the /company/ directory tree via web server configurations (.htaccess or Nginx location rules).
- Move the upload storage directory completely outside of the public web-server document root.
Remediation Steps:
- Open the file 'hrm/manage/employees.php' and locate the 'tab_documents()' function.
- Replace the direct filesystem write logic that uses '$_FILES['doc_file']['name']' with a secure path generator using a unique UUID.
- Update 'hrm/includes/ui/employee_ui.inc' to sanitize and HTML-encode any stored filenames before outputting them to 'href' attributes to block stored XSS.
- Deploy an '.htaccess' file in '/company/0/documents/' containing 'php_admin_flag engine off' to block script execution in the upload tree.
References
Read the full report for GHSA-QV4M-M73M-8HJ7 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)