CVE-2022-50905

Name of the Vulnerable Software and Affected Versions e107 CMS version 3.2.1

Description e107 CMS version 3.2.1 is affected by multiple cross-site scripting (XSS) issues. A reflected XSS exists in the news comment functionality, triggered when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through a URL parameter, which executes when users click outside the comment field after typing content. Additionally, an upload restriction bypass for authenticated administrators allows the upload of SVG files containing malicious code via the media manager’s remote URL upload feature, leading to stored XSS when these files are accessed. The affected components are news.php and image.php.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all user inputs in the comment form of the news.php component. Restrict administrator privileges to prevent unauthorized file uploads through the media manager in the image.php component.