CVE-2022-50905
Published: 13 January 2026
Summary
CVE-2022-50905 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in E107 E107. Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of URL parameters in the news.php comment form and content of remotely uploaded files in image.php to block malicious JavaScript injection causing reflected and stored XSS.
SI-15 filters outputs when rendering news comments and serving uploaded SVG files, preventing execution of injected scripts in users' browsers.
SI-2 mandates timely identification, reporting, and patching of the specific flaws in news.php and image.php that enable these XSS vulnerabilities.
NVD Description
e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious…
more
JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS.
Deeper analysisAI
e107 CMS version 3.2.1 is affected by CVE-2022-50905, which encompasses multiple cross-site scripting (XSS) vulnerabilities rated at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-79. The first is a reflected XSS in the news comment functionality within the news.php component, triggered when authenticated users interact with the comment form by clicking outside the field after typing content, allowing injection of malicious JavaScript via a URL parameter. The second involves an upload restriction bypass in the image.php component's media manager remote URL upload feature, enabling authenticated administrators to upload SVG files containing malicious code, resulting in stored XSS upon access to those files.
These vulnerabilities can be exploited by remote attackers with no privileges required for the reflected XSS, where an attacker crafts a malicious URL and tricks an authenticated victim into visiting it and interacting with the comment form, leading to JavaScript execution in the victim's browser context. For the stored XSS, an authenticated administrator must first upload the malicious SVG, after which any user accessing the file triggers the payload. Successful exploitation allows attackers to steal session cookies, perform actions on behalf of victims, or deface content, depending on the injected code.
Advisories and proof-of-concept exploits are available at sites including e107.org, vulncheck.com, and exploit-db.com/exploits/50910, with patches likely accessible via the e107.org/download page. The vulnerabilities were discovered by Hubert Wojciechowski.
Details
- CWE(s)