Missing Authorization in bingo!CMS - CVE-2022-42458

 

Missing Authorization in bingo!CMS - CVE-2022-42458

Published: October 11, 2022


Vulnerability identifier: #VU68107
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2022-42458
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: The vulnerability is being exploited in the wild
Vendor: ShiftTech Inc.
Affected software:
bingo!CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization in the management functionality responsible for file uploads. A remote non-authenticated attacker can upload a malicious file on the server and execute it.

Successful exploitation of the vulnerability may result in full system compromise.

Note, the vulnerability is being exploited in the wild.


How to mitigate CVE-2022-42458

Install updates from vendor's website.

Sources