Published:2021/11/24  Last Updated:2021/11/24

JVN#17645965
PowerCMS XMLRPC API vulnerable to OS command injection

Overview

PowerCMS XMLRPC API contains an OS command injection vulnerability.

Products Affected

  • PowerCMS 5.19 and earlier (PowerCMS 5 Series)
  • PowerCMS 4.49 and earlier (PowerCMS 4 Series)
  • PowerCMS 3.295 and earlier (PowerCMS 3 Series)
The developer states that PowerCMS 2 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.

Description

PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).

Impact

An arbitrary OS command may be executed by a remote attacker.

Solution

In the case that not using XMLRPC API:

  • If using as CGI/FCGI
    • Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
  • If using in PSGI
    • By setting environment variable RestrictedPSGIApp xmlrpc, prohibit XMLRPC application
In the case that using XMLRPC API:
Upgrade the software and Apply the patch
Update the software to the latest version, and then apply the patch according to the information provided by the developer.

Apply the workaround
If an update cannot be applied, applying the following workaround may mitigate the impact of this vulnerability.
  • Restrict access to mt-xmlrpc.cgi (e.g. Restrict access only to trusted connection source, Set HTTP authentication)

Vendor Status

Vendor Status Last Update Vendor Notes
Alfasado Inc. Vulnerable 2021/11/24 Alfasado Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20850
JVN iPedia JVNDB-2021-000105

Update History

2021/11/24
Information under the section [Other Information] was added.