Platform
php
Component
e107
Fixed in
3.2.2
CVE-2022-50939 is a critical Path Traversal vulnerability discovered in e107 CMS versions 3.2.1 through 3.2.1. This flaw allows authenticated administrators to overwrite arbitrary server files, potentially leading to complete compromise of the web application. The vulnerability stems from insufficient sanitization of the upload_caption parameter within the Media Manager's remote URL upload feature. A patch is required to address this issue.
The impact of CVE-2022-50939 is severe. An attacker with administrative privileges can exploit this vulnerability to overwrite critical system files, such as configuration files or even core application components. This could allow them to gain complete control over the web server, execute arbitrary code, steal sensitive data, or deface the website. The ability to traverse directories and overwrite files represents a significant escalation of privilege, enabling a wide range of malicious activities. Successful exploitation could mirror the impact of other file upload vulnerabilities where attackers have leveraged similar techniques to gain persistent access and control.
CVE-2022-50939 was publicly disclosed on 2026-01-13. The vulnerability's ease of exploitation, combined with the potential for significant impact, warrants careful attention. No public proof-of-concept (POC) code is currently known, but the vulnerability's nature makes it likely that one will emerge. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.70% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2022-50939 is to upgrade to a patched version of e107 CMS. Unfortunately, a specific fixed version is not provided in the input. Until a patch is available, administrators should restrict access to the Media Manager's remote URL upload functionality. Implement strict file upload validation and sanitization on the server-side, including whitelisting allowed file extensions and validating file paths. Consider using a Web Application Firewall (WAF) with rules to detect and block directory traversal attempts in the upload_caption parameter. Regularly review server logs for suspicious activity related to file uploads.
Actualice a una versión corregida de e107 CMS que solucione la vulnerabilidad de bypass de restricciones de carga. Verifique las notas de la versión y las instrucciones de actualización proporcionadas por el proveedor para garantizar una implementación correcta. Además, revise y fortalezca las prácticas de seguridad de la aplicación, incluyendo la validación y el saneamiento de todas las entradas del usuario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-50939 is a critical Path Traversal vulnerability affecting e107 CMS versions 3.2.1–3.2.1, allowing authenticated administrators to overwrite server files.
If you are running e107 CMS version 3.2.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as one is available.
The recommended fix is to upgrade to a patched version of e107 CMS. Until a patch is available, restrict access to the Media Manager and implement strict file upload validation.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that it will be targeted. Monitor security advisories and threat intelligence feeds.
Refer to the official e107 CMS website and security advisories for updates and information regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.