| Title | WebKul Krayin CRM 2.2.0 Authenticated Arbitrary File Upload |
|---|
| Description |
Krayin CRM 2.2.0 (and earlier 2.x builds that ship the same controller) contains an authenticated arbitrary-file-upload vulnerability in the TinyMCE media handler that leads to remote code execution under the webserver account.
The endpoint POST /admin/tinymce/upload is implemented by packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php::storeMedia. Relevant lines:
$filename = md5($file->getClientOriginalName().time()).'.'.$file->getClientOriginalExtension();
$path = $file->storeAs($this->storagePath, $filename);
$this->sanitizeSvg($path, $file);
The controller does not whitelist extensions, does not verify the MIME, and sanitizeSvg() short-circuits on any file whose extension does not contain "svg". The default filesystem disk is public (config/filesystems.php line 17, 'default' => env('FILESYSTEM_DISK','public')) rooted at storage/app/public; the standard Laravel php artisan storage:link required for Storage::url() to produce a working URL maps that directory to public/storage/, which is served directly by the webserver as PHP.
Any authenticated admin-panel user — including the lowest-privilege role with view_permission=individual — can upload a .php file via this endpoint and retrieve an executable URL at /storage/tinymce/<md5>.<ext>. The application response payload includes the full public URL in its "location" JSON field.
Verified live on a stock Krayin 2.2.0 Docker install, logged in as a non-admin Sales Rep. The uploaded file executed as the www-data account on the first GET request. This is exploitable by any staff account; admin privileges are not required.
CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-94 (Improper Control of Generation of Code).
CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8 High.
Minimum reproducer (Sales Rep session assumed; replace $JAR with a cookie jar from /admin/login):
curl -sS -b "$JAR" -H "X-XSRF-TOKEN: $XSRF" -H "X-Requested-With: XMLHttpRequest" \
-F "[email protected]" "http://target/admin/tinymce/upload"
# JSON response: {"location":"http://target/storage/tinymce/<md5>.php"}
curl "http://target/storage/tinymce/<md5>.php?c=id"
# PWNED:uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|---|
| Source | ⚠️ https://bytium.com/insights/krayin-crm-2-2-0-authenticated-arbitrary-file-upload-to-rce |
|---|
| User | suffer (UID 74855) |
|---|
| Submission | 05/16/2026 16:17 (30 days ago) |
|---|
| Moderation | 06/14/2026 13:58 (29 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 357335 [Krayin CRM 2.2.x /admin/tinymce/upload unrestricted upload] |
|---|
| Points | 0 |
|---|