CVE-2022-47878

HIGH

Jedox <= 22.2 - Authenticated Remote Code Execution via Default Storage Path Misconfiguration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-47878. PoCs published by Team Syslifters.

AI-analyzed exploit summary The exploit describes a vulnerability in Jedox 2020.2.5 where an authenticated attacker can set the default storage path to the web root directory, allowing arbitrary file uploads leading to remote code execution (RCE). The PoC outlines steps to exploit this via UI settings manipulation and file upload.

Description

Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.

Exploits (1)

exploitdb WRITEUP

by Team Syslifters · textwebappsphp

https://www.exploit-db.com/exploits/51426

View Code ZIP pw:eip

The exploit describes a vulnerability in Jedox 2020.2.5 where an authenticated attacker can set the default storage path to the web root directory, allowing arbitrary file uploads leading to remote code execution (RCE). The PoC outlines steps to exploit this via UI settings manipulation and file upload.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Jedox 2020.2 (20.2.5) and older

Auth required

Prerequisites: Authenticated access to Jedox application settings · Ability to upload files via the UI

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/172154/Jedox-2020.2.5-Configurable-Storage-Path-Remote-Code-Execution.html

Exploit, Third Party Advisory

https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf

Issue Tracking

https://jedox.mantishub.io/app/issues/57238

Scores

CVSS v3 8.8

EPSS 0.3811

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

jedox/jedox 2020.2.5

Published May 02, 2023

Tracked Since Feb 18, 2026