CVE-2022-29624 : An arbitrary file upload vulnerability in the Add File function of TPCMS v3.2 allows attackers to execute arbitrary code

An arbitrary file upload vulnerability in the Add File function of TPCMS v3.2 allows attackers to execute arbitrary code via a crafted PHP file.

Published 2022-06-02 14:15:49

Updated 2022-06-11 02:26:13

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2022-29624

Probability of exploitation activity in the next 30 days: 0.11%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 42 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

Assigned by: nvd@nist.gov (Primary)

https://gitee.com/happy_source/tpcms

tpcms: thinkphp写的开源cms 支持自定义模型。写了常用的标签，方便前后台调用。集成编辑器keditor、bootstrap、pintuer、hdjs 集成php类 phpexcel、phpmailer
Product
https://gitee.com/happy_source/tpcms/issues/I533KY

Arbitrary file upload vulnerability exists in tpcms v3.2 · Issue #I533KY · 快乐源泉/tpcms - Gitee
Exploit;Issue Tracking;Third Party Advisory

Tpcms Project » Tpcms » Version: 3.2
cpe:2.3:a:tpcms_project:tpcms:3.2:*:*:*:*:*:*:*
Matching versions