CVE-2022-26982: Code Injection
DISPUTED SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify themes, and can thus choose any PHP code that they wish to have executed on the server.
Affected Software
Event History
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-26982.
What is the severity of CVE-2022-26982?
The severity of CVE-2022-26982 is high with a CVSS score of 7.2.
Which version of SimpleMachinesForum is affected by CVE-2022-26982?
SimpleMachinesForum version 2.1.1 and earlier are affected by CVE-2022-26982.
How can remote authenticated administrators exploit CVE-2022-26982?
Remote authenticated administrators can execute arbitrary code by inserting vulnerable PHP code into the themes because the themes can be modified by an administrator.
Are there any available references for CVE-2022-26982?
Yes, you can find references for CVE-2022-26982 at the following links: [Reference 1](http://packetstormsecurity.com/files/171486/SimpleMachinesForum-2.1.1-Remote-Code-Execution.html) and [Reference 2](https://github.com/sartlabs/0days/blob/main/SimpleMachinesForum/Exploit.txt).