Insecure Permission Vulnerability in SCHLIX CMS by Schlix Web Inc
CVE-2022-45544

8.8HIGH

Key Information:

Vendor: Schlix
Status: Cms
Vendor: CVE Published:; 7 February 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-45544?

The SCHLIX CMS version 2.2.7-2 is affected by a vulnerability that enables arbitrary file uploads and potential code execution through the tristao parameter. While the vendor asserts that only administrators can upload executable PHP files, the implications of this vulnerability warrant caution. Attackers could exploit misconfigurations or social engineering tactics to gain admin access, making this a critical issue for website security. It is crucial for administrators to ensure strict access controls and validate all uploaded content to safeguard against potential exploitation.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-45544
Created by tristao-marinho

References

https://www.schlix.com/

https://blog.tristaomarinho.com/schlix-cms-2-2-7-2-arbitr...

https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2023
🟡
Public PoC available
Feb 5, 2023
👾
Exploit known to exist
Feb 5, 2023
Vulnerability Reserved
Nov 21, 2022

CVE-2022-45544 Data

JSON