Lucene search

[email protected]NVD:CVE-2022-33941

HistorySep 08, 2022 - 8:15 a.m.

CVE-2022-33941

2022-09-0808:15:07

CWE-78

[email protected]

web.nvd.nist.gov

cve-2022-33941

powercms

xmlrpc

command injection

alfasado inc.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

55.2%

JSON

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.

Affected configurations

Nvd

Node

alfasadopowercmsRange≤4.51

alfasadopowercmsRange5.0–5.21

alfasadopowercmsRange6.0–6.021

VendorProductVersionCPE
alfasadopowercms*cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
alfasado	powercms	*	cpe:2.3:a:alfasado:powercms::::::::

References

jvn.jp/en/jp/JVN76024879/index.html

www.powercms.jp/news/xmlrpc-api-provision-202208.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

55.2%

JSON

Related for NVD:CVE-2022-33941

cvelist1 jvn1 prion1 cve1