E107
Monthly
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Host Header Injection in e107 CMS versions prior to 2.3.4 allows remote attackers to poison password reset emails by manipulating the HTTP Host header, producing reset links that point to attacker-controlled domains. Successful exploitation enables credential harvesting and full account takeover, including administrator accounts, when a victim clicks the malicious reset link. Publicly available exploit code exists per SSVC, though EPSS (0.13%) suggests low broad-scale exploitation activity and the issue is not on the CISA KEV list.
Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.
Server-Side Request Forgery (SSRF) in e107 CMS versions prior to 2.3.4 allows authenticated administrators to reach internal network resources by supplying IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) in the Media Manager's remote URL fetch feature, bypassing PHP's private-range IP filter. The root cause is a normalization gap in file_class.php where PHP's filter_var with FILTER_FLAG_NO_PRIV_RANGE does not canonicalize IPv4-mapped IPv6 notation, leaving loopback and private ranges reachable. Publicly available exploit code exists per SSVC data, though EPSS sits at 0.03% (7th percentile) and the vulnerability is not listed in CISA KEV, indicating low observed exploitation volume.
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. [CVSS 7.2 HIGH]
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. [CVSS 7.2 HIGH]
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. [CVSS 7.2 HIGH]
e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. [CVSS 4.8 MEDIUM]
e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9.8 suggesting further exploitation potential beyond typical XSS. PoC available.
Path traversal in e107 CMS up to version 2.3.3 allows authenticated remote attackers to manipulate the multiaction[] parameter in the Avatar Handler (/e107_admin/image.php) to access or modify arbitrary files on the server. The vulnerability requires valid user credentials but has low CVSS impact (2.1) and extremely low exploitation probability (EPSS 0.11%), though publicly available exploit code exists and the vendor has not provided a response or patch.
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Host Header Injection in e107 CMS versions prior to 2.3.4 allows remote attackers to poison password reset emails by manipulating the HTTP Host header, producing reset links that point to attacker-controlled domains. Successful exploitation enables credential harvesting and full account takeover, including administrator accounts, when a victim clicks the malicious reset link. Publicly available exploit code exists per SSVC, though EPSS (0.13%) suggests low broad-scale exploitation activity and the issue is not on the CISA KEV list.
Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.
Server-Side Request Forgery (SSRF) in e107 CMS versions prior to 2.3.4 allows authenticated administrators to reach internal network resources by supplying IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) in the Media Manager's remote URL fetch feature, bypassing PHP's private-range IP filter. The root cause is a normalization gap in file_class.php where PHP's filter_var with FILTER_FLAG_NO_PRIV_RANGE does not canonicalize IPv4-mapped IPv6 notation, leaving loopback and private ranges reachable. Publicly available exploit code exists per SSVC data, though EPSS sits at 0.03% (7th percentile) and the vulnerability is not listed in CISA KEV, indicating low observed exploitation volume.
e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. [CVSS 7.2 HIGH]
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. [CVSS 7.2 HIGH]
e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. [CVSS 7.2 HIGH]
e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. [CVSS 4.8 MEDIUM]
e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9.8 suggesting further exploitation potential beyond typical XSS. PoC available.
Path traversal in e107 CMS up to version 2.3.3 allows authenticated remote attackers to manipulate the multiaction[] parameter in the Avatar Handler (/e107_admin/image.php) to access or modify arbitrary files on the server. The vulnerability requires valid user credentials but has low CVSS impact (2.1) and extremely low exploitation probability (EPSS 0.11%), though publicly available exploit code exists and the vendor has not provided a response or patch.