Design/Logic Flaw

2023-02-0716:15:00

PRIOn knowledge base

www.prio-n.com

insecure permission

schlix cms

arbitrary file upload

code execution

tristao parameter

vendor dispute

9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.4%

JSON

DISPUTED Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an “attacker” role.

CPENameOperatorVersion
cmseq2.2.7-2

CPE	Name	Operator	Version
	cms	eq	2.2.7-2

References

blog.tristaomarinho.com/schlix-cms-2-2-7-2-arbitrary-file-upload/

github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md

www.schlix.com/

www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.7-2.zip