### Critical Vulnerability Information #### Vulnerability Overview - **CVE ID**: CVE-2023-46865 - **Title**: Post-Auth Unrestricted File Upload and Code Execution via IDAT in Crater Invoice - **Security Advisory ID**: NBS-2023-0004 - **Affected Products and Versions**: Crater Invoice <= 6.0.6 - **Vendor/Product Description**: Crater is an open-source web and mobile application for tracking expenses, payments, and creating professional invoices and estimates. #### Vulnerability Details - **Issue Description**: Crater Invoice contains an unrestricted file upload vulnerability that allows attackers to execute code via the IDAT image format. - **Root Cause**: Lack of input validation permits dangerous file types to be uploaded to the server, and the Base64Mime check class can be bypassed. - **Impact**: Users with elevated privileges (such as superadmin) can exploit the `/api/v1/company/upload-logo` endpoint to upload a specially crafted PHP payload, leading to code execution on the underlying operating system. #### Proof of Concept (PoC) - **Example**: Utilizes Python scripts and curl commands. - **PoC Code Repository**: https://github.com/asylumdx/Crater-CVE-2023-46865-RCE #### Mitigation Strategy - **Immediate Actions**: Until an official patch is released by the vendor, it is recommended to restrict network access to authorized administrators only. #### Timeline - **2023-04-08**: Security advisory submitted to vendor - **2023-04-20**: Vendor acknowledged the report - **2023-10-28**: Security advisory submitted to CVE assigner - **2023-10-30**: CVE ID assigned - **2023-11-10**: Security advisory publicly released