CVE-2022-38621 Fox Doufox CMS was found to have a RCE vulnerability on the edit file page.
An attacker can host a specially crafted PHP file on a Web server and cause the application to consume an excessive amount of CPU resources. This may result in the host server being hacked. To exploit this vulnerability, an attacker must trick a user to visit a malicious Web server.
The vulnerability is located in the edit file API. An attacker can create a PHP script that uses the edit file API endpoint. The API can be used to upload any type of file. An attacker can upload a PHP script that downloads arbitrary files via a request to the edit file API endpoint.
Short URL:
X This will result in remote code execution.
Foxqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdqwdq
Foxqwdqwdqwdq
Vulnerability overview
The CVE-2022-38621 vulnerability is a remote code execution vulnerability that affects the application. An attacker can host a specially crafted PHP file on a Web server and cause the application to consume an excessive amount of CPU resources. This may result in the host server being hacked. To exploit this vulnerability, an attacker must trick a user to visit a malicious Web server.
Overview: PHP edit file upload arbitrary file execution vulnerability - CVE-2022-38621
An attacker can host a specially crafted PHP file on a Web server and cause the application to consume an excessive amount of CPU resources. This may result in the host server being hacked. To exploit this vulnerability, an attacker must trick a user to visit a malicious Web server.The vulnerability is located in the edit file API. An attacker can create a PHP script that uses the edit file API endpoint. The API can be used to upload any type of file. An attacker can upload a PHP script that downloads arbitrary files via a request to the edit file API endpoint.
Short URL: X This will result in remote code execution.
Timeline
Published on: 09/16/2022 19:15:00 UTC
Last modified on: 09/21/2022 14:13:00 UTC