CVE-2022-40797

moderate-risk
Published 2022-11-09

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

Do I need to act?

!
12.6% chance of exploitation in next 30 days
EPSS score — higher than 87% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Roxyfileman

References (8)

Third Party Advisory http://packetstormsecurity.com/files/169964/Roxy-Fileman-1.4.6-Remote-Shell-Uplo...
Third Party Advisory https://gist.github.com/Hadi999/1f66fe7c5a217ca261ebfec36c630d18
Exploit https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a6...
Product https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?...
Third Party Advisory http://packetstormsecurity.com/files/169964/Roxy-Fileman-1.4.6-Remote-Shell-Uplo...
Third Party Advisory https://gist.github.com/Hadi999/1f66fe7c5a217ca261ebfec36c630d18
Exploit https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a6...
Product https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?...
49
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 12/34 · Low
Exposure 5/34 · Minimal