CVE-2022-33941

2022-09-0807:10:41

jpcert

www.cve.org

powercms

xmlrpc api

command injection

vulnerability

alfasado inc

post method

perl script execution

os command

powercms 6 series

powercms 5 series

powercms 4 series

unsupported.

AI Score

9.9

Confidence

High

EPSS

0.002

Percentile

55.2%

JSON

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.

CNA Affected

[
  {
    "product": "PowerCMS XMLRPC API",
    "vendor": "Alfasado Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), PowerCMS 4.51 and earlier (PowerCMS 4 Series), and PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL)"
      }
    ]
  }
]