CVE-2022-50944— Aero CMS 0.0.1 PHP Code Injection via posts.php

Aero CMS 0.0.1 PHP Code Injection via posts.php

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

Aero CMS 代码注入漏洞

Aero CMS是美国Aero CMS公司的一个内容管理系统。 Aero CMS 0.0.1版本存在代码注入漏洞，该漏洞源于image参数存在PHP代码注入，可能导致经过身份验证的攻击者通过上传恶意文件执行任意PHP代码。

N/A

N/A