Description

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS.

INFO

Published Date :

2026-01-13T22:51:48.032Z

Last Modified :

2026-04-07T14:06:35.479Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2022-50905 vulnerability.

Vendors Products
E107
  • E107
  • E107 Cms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2022-50905.

URL Resource
https://e107.org/ cve-icon cve-icon
https://e107.org/download cve-icon cve-icon
https://www.exploit-db.com/exploits/50910 cve-icon cve-icon cve-icon
https://www.vulncheck.com/advisories/e-cms-reflected-xss-via-comment-flow cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact