PowerCMS XMLRPC API vulnerable to OS command injection


PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).

Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Alfasado Inc.
  • PowerCMS 5.19 and earlier (PowerCMS 5 Series)
  • PowerCMS 4.49 and earlier (PowerCMS 4 Series)
  • PowerCMS 3.295 and earlier (PowerCMS 3 Series)

The developer states that PowerCMS 2 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.

[Updated on 2021 December 17] According to the developer, the patch released on 2021 October 22 was not sufficient to fix the vulnerability. Therefore, in the case of using XMLRPC API, apply the latest patch according to the information provided by the developer.

An arbitrary OS command may be executed by a remote attacker.

In the case that not using XMLRPC API:
  • If using as CGI/FCGI
    • Delete mt-xmlrpc.cgi or remove execute permission to mt-xmlrpc.cgi
  • If using in PSGI
    • By setting environment variable RestrictedPSGIApp xmlrpc, prohibit XMLRPC application

In the case that using XMLRPC API:
[Upgrade the software and Apply the patch]
Update the software to the latest version, and then apply the patch according to the information provided by the developer.

[Apply the workaround]
If an update cannot be applied, applying the following workaround may mitigate the impact of this vulnerability.
  • Restrict access to mt-xmlrpc.cgi (e.g. Restrict access only to trusted connection source, Set HTTP authentication)
Vendor Information

Alfasado Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20850

  1. JVN : JVN#17645965
Revision History

  • [2021/11/24]
      Web page was published
  • [2021/12/21]
      Affected Products : Content was added