Cyber Resilience

CVE-2022-50905

CriticalPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 42.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2022-50905 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in E107 E107. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

e107 CMS version 3.2.1 is affected by CVE-2022-50905, which encompasses multiple cross-site scripting (XSS) vulnerabilities rated at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-79. The first is a reflected XSS in the news comment functionality within the news.php component, triggered when authenticated users interact with the comment form by clicking outside the field after typing content, allowing injection of malicious JavaScript via a URL parameter. The second involves an upload restriction bypass in the image.php component's media manager remote URL upload feature, enabling authenticated administrators to upload SVG files containing malicious code, resulting in stored XSS upon access to those files.

These vulnerabilities can be exploited by remote attackers with no privileges required for the reflected XSS, where an attacker crafts a malicious URL and tricks an authenticated victim into visiting it and interacting with the comment form, leading to JavaScript execution in the victim's browser context. For the stored XSS, an authenticated administrator must first upload the malicious SVG, after which any user accessing the file triggers the payload. Successful exploitation allows attackers to steal session cookies, perform actions on behalf of victims, or deface content, depending on the injected code.

Advisories and proof-of-concept exploits are available at sites including e107.org, vulncheck.com, and exploit-db.com/exploits/50910, with patches likely accessible via the e107.org/download page. The vulnerabilities were discovered by Hubert Wojciechowski.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious…

more

JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS in public-facing CMS directly enables T1190 exploitation; reflected/stored payloads facilitate arbitrary JS execution (T1059.007) and session hijacking via cookie theft (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11941Same product: E107 E107
CVE-2022-50907Same product: E107 E107
CVE-2022-50916Same product: E107 E107
CVE-2022-50939Same product: E107 E107
CVE-2025-27271Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2025-0918Shared CWE-79
CVE-2025-69096Shared CWE-79
CVE-2025-13761Shared CWE-79
CVE-2024-13690Shared CWE-79

Affected Assets

e107
e107
3.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of URL parameters in the news.php comment form and content of remotely uploaded files in image.php to block malicious JavaScript injection causing reflected and stored XSS.

prevent

SI-15 filters outputs when rendering news comments and serving uploaded SVG files, preventing execution of injected scripts in users' browsers.

prevent

SI-2 mandates timely identification, reporting, and patching of the specific flaws in news.php and image.php that enable these XSS vulnerabilities.

References