Insights
Security insights from Bytium operators
Brief updates from Bytium operators on the tactics we see, how we respond, and what your teams can ship today to stay ahead.
Authenticated Arbitrary File Upload to RCE in Twill CMS 3.6.0
The File Library upload endpoint in Twill CMS(Version 3.6.0) does not validate the type of uploaded files and stores them, with their original extension, on a publicly web-served disk.
Leantime 3.8.0 Broken Access Control
Leantime is a popular open-source project-management app. Its front-end talks to a JSON-RPC API, and several of those API methods forgot to check *who* is calling them. We already covered how that lets any low-privilege user make themselves an administrator.
Leantime 3.8.0 Privilege Escalation Vulnerability
A broken access control flaw (CWE-862) in Leantime ≤3.8.0 lets any authenticated low-privilege user escalate to Owner via the JSON-RPC API. PoC, impact, and fix.
Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE
Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk
Krayin CRM 2.2.0 - Authenticated Blind SQL Injection in Leads DataGrid
Krayin CRM 2.2.0 contains an authenticated blind time-based SQL injection in the Leads DataGrid. The `rotten_lead[in]` request parameter is concatenated directly into a `havingRaw()` expression without parameter binding, exposing the database to byte-by-byte extraction by any authenticated staff user
Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers
Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.
Blind SQL Injection in Perfex CRM 3.4.1
Perfex CRM 3.4.1 pastes the `sort_by` request parameter directly into an ORDER BY clause with CodeIgniter's identifier escaping disabled. Any staff account — admin flag not required, zero role permissions is enough — can exploit this blind time-based SQL injection to read the entire application database, including the bcrypt-wrapped phpass hashes in `tblstaff.password`.
Perfex CRM 3.4.1 Cross-Tenant IDOR Vulnerability
Introducing Bytium Active: Digital Presence Health for Your Business
Bytium Active is a continuous monitoring product that watches the state of your business online — what's exposed, what's expiring, what looks broken, and what you'll need when a customer or insurer asks. Here's why we built it, what it does today, and what's coming next.
Security Isn't a Task. It's a System
Most organizations don’t fail at security because they don’t care. They fail because security is treated as something you do, not something you run.