CVE-2022-45544

Name of the Vulnerable Software and Affected Versions Schlix Web Inc SCHLIX CMS version 2.2.7-2

Description The issue allows an attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. However, it is noted that this functionality is intentionally allowed for admins to upload new executable PHP code from trusted sources. The vulnerability is disputed by the vendor as it requires admin privileges to upload such code.

Recommendations For version 2.2.7-2, consider restricting access to the tristao parameter to prevent unauthorized file uploads and code execution. As a temporary workaround, restrict the ability to upload new executable PHP code to only trusted sources and ensure that all admins are aware of the potential risks associated with this functionality.