CVE-2022-37140

Name of the Vulnerable Software and Affected Versions PayMoney version 3.3

Description The issue is related to Client Side Remote Code Execution (RCE) and exists in the reply ticket function, where uploading a malicious file can lead to execution of remote code. When a victim downloads and opens the malicious RTF file, a calculator will open, demonstrating the vulnerability.

Recommendations For PayMoney version 3.3, as a temporary workaround, consider disabling the reply ticket function until a patch is available. Restrict access to uploading files to minimize the risk of exploitation. Avoid using the vulnerable function to open RTF files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.