Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2022-50905
CriticalVulnerability Description
e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References & Resources
-
https://e107.org/disclosure@vulncheck.com
-
https://e107.org/downloaddisclosure@vulncheck.com
-
https://www.exploit-db.com/exploits/50910disclosure@vulncheck.com
-
https://www.vulncheck.com/advisories/e-cms-reflected-xss-via-comment-flowdisclosure@vulncheck.com
-
https://www.exploit-db.com/exploits/50910134c704f-9b21-4f2e-91b3-4a467353bcc0
Severity Details
Key Information
- Published Date
- January 13, 2026
