Arbitrary Remote Code Execution in Exponent CMS 2.6.0patch2

Arbitrary Remote Code Execution in Exponent CMS 2.6.0patch2

CVE-2022-23048 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

Learn more about our Cms Pen Testing.