CVE-2022-40471

CVSS 9.8 CRITICALEPSS 19.4%CWE-434

Vexday Risk Score

68High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 19.4%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

12 Oct 2022Public PoC

31 Oct 2022Metasploit module available

31 Oct 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 2

githubgithub.com/RashidKhanPathan/CVE-2022-40471★ 9 githubgithub.com/Dharan10/CVE-2022-40471★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://drive.google.com/file/d/1m-wTfOL5gY3huaSEM3YPSf98qIrkl-TW/view?usp=sharing https://github.com/RashidKhanPathan/CVE-2022-40471 https://www.sourcecodester.com/php-clinics-patient-management-system-source-code