Published:2021/11/24  Last Updated:2021/11/24

PowerCMS XMLRPC API vulnerable to OS command injection


PowerCMS XMLRPC API contains an OS command injection vulnerability.

Products Affected

  • PowerCMS 5.19 and earlier (PowerCMS 5 Series)
  • PowerCMS 4.49 and earlier (PowerCMS 4 Series)
  • PowerCMS 3.295 and earlier (PowerCMS 3 Series)
The developer states that PowerCMS 2 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.


PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).


An arbitrary OS command may be executed by a remote attacker.


In the case that not using XMLRPC API:

  • If using as CGI/FCGI
    • Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
  • If using in PSGI
    • By setting environment variable RestrictedPSGIApp xmlrpc, prohibit XMLRPC application
In the case that using XMLRPC API:
Upgrade the software and Apply the patch
Update the software to the latest version, and then apply the patch according to the information provided by the developer.

Apply the workaround
If an update cannot be applied, applying the following workaround may mitigate the impact of this vulnerability.
  • Restrict access to mt-xmlrpc.cgi (e.g. Restrict access only to trusted connection source, Set HTTP authentication)

Vendor Status

Vendor Status Last Update Vendor Notes
Alfasado Inc. Vulnerable 2021/11/24 Alfasado Inc. website


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 9.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2021-20850
JVN iPedia JVNDB-2021-000105

Update History

Information under the section [Other Information] was added.