PT-2023-14430 · Unknown · B2Evolution
Mzwebo
·
Published
2023-01-03
·
Updated
2024-08-03
·
CVE-2022-44036
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
b2evolution version 7.2.5
Description
The issue allows for arbitrary file upload, leading to command execution, when configured with
admins can manipulate sensitive files. This is considered a feature by the vendor, but it can be exploited by attackers to execute remote commands. The vendor suggests that disabling the feature is an obvious solution for those who do not want it.Recommendations
For b2evolution version 7.2.5, consider disabling the
admins can manipulate sensitive files feature to prevent arbitrary file upload and command execution.Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
B2Evolution