CVE-2022-33941

Name of the Vulnerable Software and Affected Versions PowerCMS versions 6.021 and earlier PowerCMS versions 5.21 and earlier PowerCMS versions 4.51 and earlier PowerCMS 3 Series and earlier

Description The PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection issue. By sending a specially crafted message via the POST method to the PowerCMS XMLRPC API, an attacker may be able to execute arbitrary Perl scripts, and subsequently, arbitrary OS commands.

Recommendations For PowerCMS versions 6.021 and earlier, consider disabling the XMLRPC API until a patch is available. For PowerCMS versions 5.21 and earlier, restrict access to the XMLRPC API to minimize the risk of exploitation. For PowerCMS versions 4.51 and earlier, avoid using the XMLRPC API for critical operations until the issue is resolved. For PowerCMS 3 Series and earlier, due to their End-of-Life status, it is recommended to upgrade to a supported version as soon as possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.