Published:2021/11/24 Last Updated:2021/12/17
JVN#17645965
PowerCMS XMLRPC API vulnerable to OS command injection
Overview
PowerCMS XMLRPC API contains an OS command injection vulnerability.
Products Affected
- PowerCMS 5.19 and earlier (PowerCMS 5 Series)
- PowerCMS 4.49 and earlier (PowerCMS 4 Series)
- PowerCMS 3.295 and earlier (PowerCMS 3 Series)
【Updated on 2021 December 17】
According to the developer, the patch released on 2021 October 22 was not sufficient to fix the vulnerability.
Therefore, in the case of using XMLRPC API, apply the latest patch according to the information provided by the developer.
Description
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).
Impact
An arbitrary OS command may be executed by a remote attacker.
Solution
In the case that not using XMLRPC API:
- If using as CGI/FCGI
- Delete
mt-xmlrpc.cgior remove execute permission tomt-xmlrpc.cgi
- Delete
- If using in PSGI
- By setting environment variable RestrictedPSGIApp xmlrpc, prohibit XMLRPC application
Upgrade the software and Apply the patch
Update the software to the latest version, and then apply the patch according to the information provided by the developer.
Apply the workaround
If an update cannot be applied, applying the following workaround may mitigate the impact of this vulnerability.
- Restrict access to
mt-xmlrpc.cgi(e.g. Restrict access only to trusted connection source, Set HTTP authentication)
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Alfasado Inc. | Vulnerable | 2021/12/17 | Alfasado Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score:
9.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score:
7.5
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20850 |
| JVN iPedia |
JVNDB-2021-000105 |
Update History
- 2021/11/24
- Information under the section [Other Information] was added.
- 2021/12/17
- Information under the section [Products Affected] was updated.
- 2021/12/17
- Alfasado Inc. update status