Approved changes feed: RSS · Atom

cpe:2.3:a:e107:e107:3.2.1:*:*:*:*:*:*:*

part: a version: 3.2.1 update: *

VendorE107 (6c60e221-90f9-5087-a0e5-d5cd5732e6aa)
ProductE107 (35b2a9c5-556b-5efe-8f1c-6c60a2550b4c)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/e107inc/e107 purl2cpe 2026-06-01 10:11:46.572173
pkg:sourceforge/e107 purl2cpe 2026-06-01 10:11:46.572174

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2022-50939 vulnerable 2026-06-08 05:52:03.749209 e107 CMS v3.2.1 - Upload Restriction Bypass with Path Traversal File Override
HIGH (7.2)
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface.
Published: 2026-01-13T22:52:03.612Z
Updated: 2026-04-07T14:06:43.577Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-50916 vulnerable 2026-06-08 05:52:03.700801 e107 CMS v3.2.1 - Upload restriction bypass (Authenticated [Admin])+ Server file override
HIGH (7.2)
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory.
Published: 2026-01-13T22:51:52.935Z
Updated: 2026-04-07T14:06:39.742Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-50907 vulnerable 2026-06-08 05:52:03.687327 e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE
HIGH (7.2)
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature.
Published: 2026-01-13T22:51:49.167Z
Updated: 2026-04-07T14:06:36.939Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-50906 vulnerable 2026-06-08 05:52:03.686784 e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS
MEDIUM (4.8)
e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed.
Published: 2026-01-13T22:51:48.496Z
Updated: 2026-04-07T14:06:36.189Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-50905 vulnerable 2026-06-08 05:52:03.686219 e107 CMS v3.2.1 - Reflected XSS via Comment Flow
MEDIUM (6.1)
e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS.
Published: 2026-01-13T22:51:48.032Z
Updated: 2026-04-07T14:06:35.479Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.