EXECUTIVE SUMMARY:
CVE-2025-58048 with a CVSS score of 9.9 is a remote code execution flaw in the Paymenter ticket-attachments component. The vulnerability stems from an unrestricted file-upload mechanism that fails to validate the type or content of files submitted by authenticated users, allowing a malicious actor to place a crafted script or binary into a web-accessible storage directory. An attacker who can obtain a low-privilege account—such as a legitimate customer or support staff member—can exploit the flaw by uploading a PHP web shell or other executable payload through the ticket attachment interface, which the server may execute under the web-server user context when the file is accessed. Successful exploitation grants the attacker full code execution on the host, enabling access to sensitive database records, configuration files, and arbitrary system command execution. This can result in data breaches, credential exposure, service disruption, and complete compromise of the underlying server infrastructure. Exploitation requires only authenticated access to the ticket system and the ability to trigger a request that stores the malicious file within the /storage/ path.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2025-58048 with a CVSS score of 9.9 is a remote code execution flaw in the Paymenter ticket-attachments component. The vulnerability stems from an unrestricted file-upload mechanism that fails to validate the type or content of files submitted by authenticated users, allowing a malicious actor to place a crafted script or binary into a web-accessible storage directory. An attacker who can obtain a low-privilege account—such as a legitimate customer or support staff member—can exploit the flaw by uploading a PHP web shell or other executable payload through the ticket attachment interface, which the server may execute under the web-server user context when the file is accessed. Successful exploitation grants the attacker full code execution on the host, enabling access to sensitive database records, configuration files, and arbitrary system command execution. This can result in data breaches, credential exposure, service disruption, and complete compromise of the underlying server infrastructure. Exploitation requires only authenticated access to the ticket system and the ability to trigger a request that stores the malicious file within the /storage/ path.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-5pm9-r2m8-rcmj