9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-25337

GHSA ID

GHSA-xwv6-v7qx-f5jc

EPSS Score

CWE

CWE-74

Published

2/19/2022

Updated

2/3/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25337

CVE-2022-25337:
Code injection in ezsystems/ezpublish-kernel

When image files are uploaded, they are made accessible under a name similar to the original file name. There are two issues with this. Both require access to uploading images in order to exploit them, this limits the impact. The first issue is that certain injection attacks can be possible, since not all possible attack vectors are removed from the original file name.

The second issue is that direct access to the images is not access controlled. This is by design, for performance reasons, and documented as such. But it does mean that images not meant to be publicly accessible can be accessed, provided that the image path and filename is correctly deduced and/or guessed, through dictionary attacks and similar.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-25337

GHSA ID

GHSA-xwv6-v7qx-f5jc

EPSS Score

CWE

CWE-74

Published

2/19/2022

Updated

2/3/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezpublish-kernel	composer	>= 7.5.0, < 7.5.26	7.5.26

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability descriptions and references do not include specific code snippets, commit diffs, or explicit function names. The advisory focuses on high-level behavior (filename sanitization and lack of access control) rather than implementation details. While the vulnerability stems from insufficient sanitization in filename handling and insecure path generation, the exact functions responsible (e.g., filename sanitization routines, image storage path resolvers) cannot be identified with high confidence without access to the pre-patch codebase or explicit documentation of the affected components. The lack of GitHub patch/commit details further limits precise identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n im*** *il*s *r* uplo****, t**y *r* m*** ****ssi*l* un**r * n*m* simil*r to t** ori*in*l *il* n*m*. T**r* *r* two issu*s wit* t*is. *ot* r*quir* ****ss to uplo**in* im***s in or**r to *xploit t**m, t*is limits t** imp**t. T** *irst issu* is t**t

Reasoning

T** provi*** vuln*r**ility **s*riptions *n* r***r*n**s *o not in*lu** sp**i*i* *o** snipp*ts, *ommit *i**s, or *xpli*it *un*tion n*m*s. T** **visory *o*us*s on *i**-l*v*l ****vior (*il*n*m* s*nitiz*tion *n* l**k o* ****ss *ontrol) r*t**r t**n impl*m*

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-25337: Code injection in ezsystems/ezpublish-kernel

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-25337:
Code injection in ezsystems/ezpublish-kernel

Vulnerability Intelligence
Miggo AI