{"id":"CVE-2022-44036","details":"In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is \"very obviously a feature not an issue and if you don't like that feature it is very obvious how to disable it.\"","modified":"2026-04-10T04:52:13.893666Z","published":"2023-01-03T21:15:12.880Z","references":[{"type":"REPORT","url":"https://github.com/b2evolution/b2evolution/issues/121"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/b2evolution/b2evolution","events":[{"introduced":"0"},{"last_affected":"a7920fa31b433793ff59c14f70e6f01f613f595f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.2.5"}]}}],"versions":["6-9-4","6-9-5","6.0.0-alpha","6.0.0-alpha.1","6.1.2-alpha","6.10.2","6.10.3","6.10.4","6.10.5","6.10.6","6.10.7","6.10.8","6.11.4","6.11.5","6.11.6","6.4.2-beta","6.4.3-beta","6.4.4-beta","6.5.0","6.6.0","6.6.1","6.6.4","6.6.5","6.6.6","6.6.7","6.6.8","6.7.5","6.7.6","6.7.7","6.8.10","6.8.3","6.8.4","6.8.5","6.8.6","6.8.7","6.8.8","6.8.9","6.9.3","6.9.4","6.9.5","6.9.7","7.1.5","7.1.7","7.2.2","7.2.3","7.2.5","v5.2.0-stable"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-44036.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}