CVE-2022-45544

Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.
Configurations

Configuration 1 (hide)

cpe:2.3:a:schlix:cms:2.2.7-2:*:*:*:*:*:*:*

History

21 Nov 2024, 07:29

Type Values Removed Values Added
References () https://blog.tristaomarinho.com/schlix-cms-2-2-7-2-arbitrary-file-upload/ - Broken Link () https://blog.tristaomarinho.com/schlix-cms-2-2-7-2-arbitrary-file-upload/ - Broken Link
References () https://github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md - Exploit, Third Party Advisory () https://github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md - Exploit, Third Party Advisory
References () https://www.schlix.com/ - Product () https://www.schlix.com/ - Product
References () https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.7-2.zip - Product () https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.7-2.zip - Product

07 Nov 2023, 03:54

Type Values Removed Values Added
Summary ** DISPUTED ** Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role. Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.

Information

Published : 2023-02-07 16:15

Updated : 2024-11-21 07:29


NVD link : CVE-2022-45544

Mitre link : CVE-2022-45544

CVE.ORG link : CVE-2022-45544


JSON object : View

Products Affected

schlix

  • cms
CWE
CWE-863

Incorrect Authorization