PT-2022-20160 · Unknown+1 · Asith-Eranga Isic Tour Booking+1
Published
2022-11-22
·
Updated
2025-04-28
·
CVE-2022-30529
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
asith-eranga ISIC tour booking versions through the version published on Feb 13th 2018
Description
The issue allows attackers to upload arbitrary files via "/system/application/libs/js/tinymce/plugins/filemanager/dialog.php" and "/system/application/libs/js/tinymce/plugins/filemanager/upload.php" API endpoints.
Recommendations
For versions through the version published on Feb 13th 2018, consider disabling the file upload functionality via the "/system/application/libs/js/tinymce/plugins/filemanager/dialog.php" and "/system/application/libs/js/tinymce/plugins/filemanager/upload.php" API endpoints until a patch is available. Restrict access to the filemanager plugins to minimize the risk of exploitation.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tinymce
Asith-Eranga Isic Tour Booking