CVE-2022-23048

Summary

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

Affected Software

VendorProductVersion RangeStatus
n/aExponent CMSv2.6.0patch2affected

Weaknesses

  • Insecure file upload (RCE)

ADP Enrichment

CVE Program Container

Additional References

References