{"id":"CVE-2022-23043","details":"Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server.","aliases":["GHSA-6r86-2jm9-9mh4"],"modified":"2026-03-15T14:46:34.610669Z","published":"2022-02-24T15:15:28.403Z","references":[{"type":"FIX","url":"https://fluidattacks.com/advisories/simone/"},{"type":"FIX","url":"https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tribalsystems/zenario","events":[{"introduced":"0"},{"last_affected":"0c65c8c3446059491a95edf38cb73d70321eccbc"},{"fixed":"f0682d22688d9921dc0dfd6e858900ebf2706f19"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.2"}]}}],"versions":["7.0.2e","7.0.3a","7.0.4b","7.0.5b","7.0.5c","7.0.6a","7.0.6b","7.0.7a","7.0.7b","7.0.7c","7.0.7d","7.0.7e","7.1.0","7.1.1","7.1.2","7.2.0","7.2.1","7.2.2","7.2.3","7.3.0","7.4.0","7.4.1","7.4.2","7.4.3","7.4.4","7.5.0","7.5.40440","7.5.41006","7.5.41499","7.6.41504","7.6.41633","7.6.42085","7.7.42682","7.7.42963","7.7.42990","7.7.44223","8.0.44237","8.0.44273","8.0.44294","8.0.44521","8.0.45032","8.0.45250","8.0.45529","8.1.45530","8.1.45698","8.1.46089","8.1.46433","8.2.46436","8.2.46614","8.2.47180","8.2.47369","8.2.47992","8.3.47997","8.3.48583","8.3.50564","8.4.50565","8.5.50567","8.5.50837","8.5.51340","8.6.51342","8.7","8.8","8.8.53370","8.8.53725","8.9.54063","8.9.54149","8.9.54153","9.0.54156","9.0.55141","9.1.55143","9.1.55510","9.1.55619","9.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23043.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}