// For flags

CVE-2022-44036

 

Severity Score

7.2
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to disable it."

En b2evolution 7.2.5, si se configura con admins_can_manipulate_sensitive_files, los administradores pueden cargar archivos arbitrarios, lo que lleva a ejecución de comandos. NOTA: la posición del proveedor es que esto es "obviamente es una característica, no un problema y si no te gusta esa característica, es muy obvio cómo desactivarla".

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2022-10-30 CVE Reserved
  • 2023-01-03 CVE Published
  • 2024-07-26 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
B2evolution
Search vendor "B2evolution"
B2evolution Cms
Search vendor "B2evolution" for product "B2evolution Cms"
7.2.5
Search vendor "B2evolution" for product "B2evolution Cms" and version "7.2.5"
-
Affected