#VU68107 Missing Authorization in bingo!CMS - CVE-2022-42458
Published: October 11, 2022
Vulnerability identifier: #VU68107
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2022-42458
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
bingo!CMS
bingo!CMS
Software vendor:
ShiftTech Inc.
ShiftTech Inc.
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in the management functionality responsible for file uploads. A remote non-authenticated attacker can upload a malicious file on the server and execute it.
Successful exploitation of the vulnerability may result in full system compromise.
Note, the vulnerability is being exploited in the wild.
Remediation
Install updates from vendor's website.