CVE-2022-46157: 
PHP vulnerability analysis and mitigation

Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 contains a critical security vulnerability that allows remote authenticated users to execute arbitrary PHP code on the server through crafted image uploads. The vulnerability was disclosed on December 9, 2022, affecting the PHP-based Product Information Management (PIM) system (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical assessment indicates that the vulnerability can be exploited over the network with low attack complexity, requires low privileges, and needs no user interaction. The vulnerability is classified under CWE-434, relating to unrestricted file upload (GitHub Advisory, FortiGuard).

The successful exploitation of this vulnerability could lead to high impacts on confidentiality, integrity, and availability of the affected systems. Attackers could execute arbitrary PHP code on the server, potentially leading to complete system compromise (GitHub Advisory).

The vulnerability has been patched in versions 5.0.119 and 6.0.53 of Akeneo PIM Community Edition. For Cloud Based Akeneo PIM Services customers, the patch was applied on October 30th, 2022. Users must update their Apache HTTP server configuration accordingly. As a workaround, administrators should modify their Apache httpd configurations to implement proper security controls (GitHub Advisory).