CVE-2022-23043: 
PHP vulnerability analysis and mitigation

CVE-2022-23043 is a security vulnerability discovered in Zenario CMS version 9.2 that allows authenticated admin users to bypass file upload restrictions. The vulnerability was discovered on January 13, 2022, and was publicly disclosed on February 18, 2022, after being patched (Fluid Attacks).

The vulnerability stems from an insecure file upload mechanism where authenticated administrators can create new File/MIME Types using the .phar extension. An attacker can exploit this by uploading a malicious file and intercepting the request to change the extension to .phar, enabling remote command execution on the server. The vulnerability has been assigned a CVSSv3.1 Base Score of 9.1 with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (Fluid Attacks).

The vulnerability allows authenticated administrators to execute arbitrary commands on the server through malicious file uploads, potentially leading to complete system compromise. The high CVSS score of 9.1 indicates critical severity with potential for high impact on confidentiality, integrity, and availability of the system (Fluid Attacks).

The vulnerability has been patched in Zenario CMS version 9.2.55826, released on February 8, 2022. The update prevents administrators from uploading .phar files to the server. Users are advised to upgrade to the patched version immediately (GitHub Release).