Lucene search

[email protected]CVE-2022-40797

HistoryNov 09, 2022 - 7:15 a.m.

CVE-2022-40797

2022-11-0907:15:09

CWE-434

[email protected]

web.nvd.nist.gov

roxy fileman

remote code execution

cve-2022-40797

information security

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.056 Low

EPSS

Percentile

93.3%

JSON

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

Affected configurations

NVD

Node

roxyfilemanroxy_filemanMatch1.4.6

CPENameOperatorVersion
roxyfileman:roxy_filemanroxyfileman roxy filemaneq1.4.6

CPE	Name	Operator	Version
roxyfileman:roxy_fileman	roxyfileman roxy fileman	eq	1.4.6

References

packetstormsecurity.com/files/169964/Roxy-Fileman-1.4.6-Remote-Shell-Upload.html

gist.github.com/Hadi999/1f66fe7c5a217ca261ebfec36c630d18

salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6

web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php

Social References

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.056 Low

EPSS

Percentile

93.3%

JSON

Related for CVE-2022-40797

packetstorm1 prion1 cvelist1 zdt1 nvd1