Vulnerabilities

CVE-2022-23048

by Fred · 09/02/2022

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

Date published : 2022-02-09

https://exponentcms.lighthouseapp.com/projects/61783/tickets/1460

https://fluidattacks.com/advisories/dylan/

Similar

Tags: Cybersecurity Alert