FacturaScripts, Information Disclosure, GHSA-q7f2-rv22-2xgr (High)

By /

Listen to this Post

How the Vulnerability Works

  1. The root cause – The Library module in FacturaScripts ≤2025.81 stores user-uploaded images byte‑for‑byte without any server‑side metadata processing.
  2. No EXIF stripping – The application never calls functions like `stripImage()` (Imagick) or `imagejpeg()` (GD) that would discard embedded metadata.
  3. Preserved sensitive fields – Because the image is stored as‑is, EXIF fields such as GPS coordinates, camera make/model, timestamps, and user comments remain intact.
  4. Direct download capability – Any authenticated user with access to the Library can download the original, metadata‑rich file.
  5. No download‑time sanitization – The download handler serves the exact stored file; no header‑based stripping or re‑encoding is applied.
  6. Cross‑user leakage – An attacker (or any colleague) can download an image uploaded by another user and extract its embedded metadata.
  7. GPS geolocation exposure – Extracted GPS coordinates (e.g., 48.8566°N, 2.3522°E) resolve to the uploader’s precise physical location, such as their home address.
  8. Device fingerprinting – Fields like Make, Model, and serial numbers enable tracking of the device used by the uploader.
  9. Behavioral profiling – Multiple uploads containing sequential timestamps and GPS data can reconstruct an individual’s movements and schedule.
  10. Embedded thumbnail risk – Thumbnail previews may preserve the original uncropped image, potentially exposing content the user intentionally cropped out.
  11. PII leakage – Authors’ names and embedded comments (e.g., XPAuthor, UserComment) expose personal identity information.
  12. Retroactive exposure – Every image ever uploaded to the Library is affected, making historical data vulnerable as well.
  13. No user warning – Users are not alerted that their uploaded images will retain all original metadata.
  14. Low‑skill exploitation – The attacker only needs Library download access and a free tool like exiftool; no complex exploit chain is required.
  15. Irrevocable leak – Once an image is downloaded, the metadata cannot be “un‑leaked” from the attacker’s system.

DailyCVE Form

Platform: FacturaScripts
Version: ≤v2025.81
Vulnerability: Info Disclosure (EXIF)
Severity: High
Date: 2025‑01‑15

Prediction: 2026‑06‑01

What Undercode Say:

Analytics – The following bash commands and code snippets demonstrate the vulnerability and its remediation.

  1. Inject test metadata into an image
  exiftool -GPSLatitude="48.8566" -GPSLatitudeRef="N" \
  -GPSLongitude="2.3522" -GPSLongitudeRef="E" \
  -GPSAltitude="35" -UserComment="Confidential: Home address" \
  -XPAuthor="John Doe" -Make="Apple" -Model="iPhone 15 Pro Max" \
  -DateTimeOriginal="2025:01:15 09:30:00" test_image.jpg
  2. Verify metadata was injected correctly
  exiftool test_image.jpg
  3. After uploading and downloading the image, extract metadata from the downloaded file
  exiftool downloaded_image.jpg
  4. Remediation – retroactively strip metadata from all existing JPEGs in the Library
  exiftool -all= -overwrite_original /path/to/library/uploads/.jpg
  5. Remediation – PHP (GD) code to strip metadata on upload
  function stripMetadata($sourcePath, $destPath) {
  $image = imagecreatefromjpeg($sourcePath);
  imagejpeg($image, $destPath, 95);
  imagedestroy($image);
  }
  6. Remediation – PHP (Imagick) code to strip metadata
  $img = new Imagick($sourcePath);
  $img->stripImage();
  $img->writeImage($destPath);
  7. Remediation – Python (Pillow) code
  from PIL import Image
  img = Image.open("uploaded.jpg")
  data = list(img.getdata())
  clean = Image.new(img.mode, img.size)
  clean.putdata(data)
  clean.save("clean.jpg")

Exploit:

An authenticated user navigates to the Library module, downloads any image uploaded by another user, and runs `exiftool` on the downloaded file. The tool will display the original uploader’s GPS coordinates, device information, timestamps, and embedded comments, revealing their home address and other PII.

Protection from this CVE:

  • Immediate: Implement server‑side EXIF/metadata stripping on all image uploads before storage (e.g., using Imagick::stripImage() or GD’s re‑encoding).
  • Retroactive: Strip metadata from all existing images in the Library storage directory using exiftool -all= -overwrite_original.
  • Long‑term: Establish a centralized file‑upload pipeline that consistently sanitizes metadata across all modules, add `Content-Disposition: attachment` headers, and enforce file‑type validation via magic bytes.

Impact:

  • Geolocation Disclosure: GPS coordinates in uploaded photos reveal home addresses, office locations, client sites, and travel patterns of employees.
  • PII Leakage: Author names, comments, and device owner names embedded in metadata expose personal identity.
  • Physical Security Risk: In sensitive sectors (law enforcement, journalism, NGOs, etc.), leaking home GPS coordinates constitutes a direct physical safety threat.
  • Regulatory Exposure: GPS coordinates and author names constitute personal data under GDPR (Art. 4(1)), CCPA, and similar frameworks; failure to strip this data may constitute a data‑protection violation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top