CVE-2022-45544

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.

*Credits: N/A

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-11-21 CVE Reserved
2023-02-05 First Exploit
2023-02-07 CVE Published
2024-08-03 CVE Updated
2024-09-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-863: Incorrect Authorization

CAPEC

References (5)

URL	Tag	Source
https://blog.tristaomarinho.com/schlix-cms-2-2-7-2-arbitrary-file-upload	Broken Link
https://www.schlix.com	Product
https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.7-2.zip	Product

URL	Date	SRC
https://github.com/tristao-marinho/CVE-2022-45544	2023-02-05
https://github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Schlix Search vendor "Schlix"		Cms Search vendor "Schlix" for product "Cms"				2.2.7-2 Search vendor "Schlix" for product "Cms" and version "2.2.7-2"		-		Affected