Skip to content

[GHSA-wjmh-wmx9-9v38] The Terrapack software, from ASTER TEC / ASTER S.p.A.,... #7208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
edi-marc wants to merge 1 commit into from
Closed

[GHSA-wjmh-wmx9-9v38] The Terrapack software, from ASTER TEC / ASTER S.p.A.,... #7208

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 42 additions & 9 deletions advisories/unreviewed/2026/03/GHSA-wjmh-wmx9-9v38/GHSA-wjmh-wmx9-9v38.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,43 +1,76 @@
{
"schema_version": "1.4.0",
"id": "GHSA-wjmh-wmx9-9v38",
"modified": "2026-03-20T18:31:18Z",
"modified": "2026-03-20T18:31:19Z",
"published": "2026-03-20T18:31:18Z",
"aliases": [
"CVE-2025-67260"
],
"details": "The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0.",
"severity": [],
"affected": [],
"summary": "CVE-2025-67260 : File upload vulnerability in software Terrapack",
"details": "The Terrapack software, also known as the Terrapack WebGIS platform, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0.\n\nUsers with access to the platform can abuse the file upload and import functionality to upload malicious files. Specifically, the \"TkWebCoreNG/InputOutputFile.php\" page does not implement the necessary server-side checks to prevent users from uploading arbitrary files. The uploaded files are moved to the \"TkRepository\" folder. If the user gains access to the specified directory, the vulnerability could trigger a Remote Code Execution (RCE) and lead to the execution of arbitrary code.\n\n### Credit\nDiscovered by: **(edimarc)** **Emanuele Di Marco** @ [Alten Italy](https://www.alten.it) , [Telsy](https://www.telsy.com/en/)",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67260"
},
{
"type": "WEB",
"url": "https://github.com/edi-marc/Vulnerability_List/tree/main/CVE_Terrapack"
"url": "https://github.com/edi-marc/Vulnerability_List/tree/main/CVE-2025-67260"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/217271"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20240625044657/https://www.aster-te.it"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20240714202223/https://www.terrapack.it"
},
{
"type": "WEB",
"url": "https://www.acn.gov.it/portale/en/csirt-italia"
},
{
"type": "WEB",
"url": "http://aster.com"
"url": "https://www.aster-te.it"
},
{
"type": "WEB",
"url": "http://terrapack.com"
"url": "http://terrapack.it"
}
],
"database_specific": {
"cwe_ids": [],
"severity": null,
"cwe_ids": [
"CWE-434"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T16:16:16Z"
Expand Down
Loading