CVE-2022-42154

Vulnerability

74cmsSE v3.13.0 contains an arbitrary file upload vulnerability in the /apiadmin/upload/attach component. The upload mechanism does not properly filter or validate uploaded file types, allowing an attacker to upload a crafted PHP file. The vulnerability is present in the affected version (74cmsSE v3.13.0) as confirmed by the discoverer [1].

Exploitation

An attacker must have administrative access to the application's backend (the /apiadmin route implies authentication). Once authenticated, the attacker can craft a malicious PHP file (e.g., containing phpinfo() or other code) and upload it via the /apiadmin/upload/attach endpoint. The server accepts the file without proper extension or content filtering. After upload, the attacker can access the uploaded PHP file directly via its URL, causing it to be executed by the web server [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary PHP code on the web server. This can lead to full remote code execution, enabling actions such as reading sensitive files, modifying application data, or establishing persistent access. The compromise occurs at the level of the web server process, potentially affecting all hosted data and configurations [1].

Mitigation

As of the publication date (October 17, 2022), no official patch or fixed version has been announced. Users of 74cmsSE v3.13.0 should limit administrative access to trusted individuals, implement strict file upload validation (e.g., check file extension, MIME type, and content), and consider deploying a web application firewall to block uploaded executable files until a vendor-supplied fix becomes available [1].