PatchSiren cyber security CVE debrief

CVE-2026-42879 NeoRazorX CVE debrief

## Summary FacturaScripts versions 2025.81 and earlier contain an authenticated unrestricted file upload vulnerability in the product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image by using a GIF89a header to bypass MIME type validation. The file is stored with its original executable extension (.php), enabling potential remote code execution. The vulnerability resides in the `addImageAction()` method of `Core/Lib/ExtendedController/ProductImagesTrait.php`. ## Technical Details - **Affected Component**: Product image upload functionality (`ProductImagesTrait.php`) - **Attack Vector**: Network - **Attack Complexity**: Low - **Privileges Required**: Low (authenticated user) - **User Interaction**: None - **Scope**: Unchanged - **Impact**: Confidentiality (Low), Integrity (Low), Availability (Low) - **Weaknesses**: CWE-94 (Improper Control of Generation of Code), CWE-434 (Unrestricted Upload of File with Dangerous Type) The vulnerability allows authenticated attackers to bypass MIME type validation by prepending a GIF89a magic bytes header to a PHP file. While the validation checks for image MIME types, it fails to properly validate the file content or restrict dangerous extensions, allowing the file to be stored with its original .php extension and potentially executed by the web server. ## Affected Versions - FacturaScripts 2025.81 and earlier ## Recommended Actions 1. **Immediate**: Upgrade to a patched version of FacturaScripts when available 2. **Short-term**: Implement strict file extension validation and content inspection for uploaded files 3. **Short-term**: Configure web server to deny execution of PHP files in upload directories 4. **Long-term**: Apply principle of least privilege to file upload functionality 5. **Long-term**: Implement comprehensive file upload security controls including content-type validation, extension whitelisting, and server-side file analysis