CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
55.2%
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.
An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.
When XMLRPC API is NOT required: Disable XMLRPC API
mt-xmlrpc.cgi
or remove execute permission of mt-xmlrpc.cgi
XMLRPCScript
is configured, the file may be renamed. In that case, implement this countermeasure to that renamed fileRestrictedPSGIApp
to prohibit XMLRPC application: RestrictedPSGIApp xmlrpc