jvndb-2022-000069
Vulnerability from jvndb
Published
2022-09-02 15:49
Modified
2024-06-13 11:44
Severity ?
9.8 (Critical) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
PowerCMS XMLRPC API vulnerable to command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74). Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited. Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
JVN https://jvn.jp/en/jp/JVN76024879/index.html
CVE https://www.cve.org/CVERecord?id=CVE-2022-33941
NVD https://nvd.nist.gov/vuln/detail/CVE-2022-33941
No Mapping(CWE-Other) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
Alfasado Inc.PowerCMS
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
  "dc:date": "2024-06-13T11:44+09:00",
  "dcterms:issued": "2022-09-02T15:49+09:00",
  "dcterms:modified": "2024-06-13T11:44+09:00",
  "description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).\r\nSending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.\r\nAccording to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "9.8",
      "@severity": "Critical",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2022-000069",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN76024879/index.html",
      "@id": "JVN#76024879",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2022-33941",
      "@id": "CVE-2022-33941",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33941",
      "@id": "CVE-2022-33941",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "PowerCMS XMLRPC API vulnerable to command injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.