PT-2026-2415 · E107 Cms · E107 Cms

Hubert Wojciechowski

·

Publicado

2026-01-13

·

Atualizado

2026-01-14

·

CVE-2022-50939

CVSS v4.0

8.6

Alta

VetorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions e107 CMS version 3.2.1
Description e107 CMS version 3.2.1 has a file upload issue. Authenticated administrators can overwrite server files using path traversal. The issue is located in the Media Manager’s remote URL upload functionality, specifically in the image.php component. The upload caption parameter is not properly sanitized, allowing attackers to use directory traversal sequences (../../../) to overwrite system files outside the intended upload directory. This could lead to a complete compromise of the web application by overwriting configuration files or executable scripts.
Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict administrative privileges to trusted personnel only.

Exploit

Correção

Unrestricted File Upload

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434CWE-22

Identificadores relacionados

CVE-2022-50939

Produtos afetados

E107 Cms