CVE-2022-47879

HIGH

Jedox - Code Injection

Title source: rule

Description

A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.

Exploits (1)

exploitdb WORKING POC

by Team Syslifters · textwebappsphp

https://www.exploit-db.com/exploits/51423

View Code ZIP pw:eip

References (6)

[Product] http://jedox.com

[Exploit, Third Party Advisory] https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf

[Issue Tracking] https://jedox.mantishub.io/app/issues/57236

[Issue Tracking] https://jedox.mantishub.io/app/issues/57237

[Issue Tracking] https://jedox.mantishub.io/app/issues/57238

[Issue Tracking] https://jedox.mantishub.io/app/issues/57239

Scores

CVSS v3 7.5

EPSS 0.0745

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

jedox/jedox 2020.2.5

jedox/jedox_cloud

Published May 12, 2023

Tracked Since Feb 18, 2026