Login Sign Up

CVE-2022-29624

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-29624 is an arbitrary file upload vulnerability in TPCMS v3.2 that allows attackers to upload malicious PHP files through the Add File function. This enables remote code execution on affected systems, potentially compromising the entire web server. Organizations using TPCMS v3.2 are at risk.

💻 Affected Systems

Products:
  • TPCMS
Versions: v3.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default Add File functionality without requiring special configuration.

📦 What is this software?

Tpcms by Tpcms Project

View all CVEs affecting Tpcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Webshell deployment allowing attackers to execute commands, steal data, deface websites, and use the server for further attacks.

🟢

If Mitigated

Attackers can upload files but cannot execute them due to proper file type validation and execution restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to access the Add File function, but once authenticated, uploading malicious PHP files is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.3 or later

Vendor Advisory: https://gitee.com/happy_source/tpcms/issues/I533KY

Restart Required: No

Instructions:

1. Backup your TPCMS installation and database. 2. Download the latest version from the official repository. 3. Replace all files with the patched version. 4. Verify the update by checking the version in the admin panel.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement server-side validation to block PHP file uploads in the affected directory

# Add to .htaccess in upload directory:
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>

Web Application Firewall Rule

all

Block requests containing PHP file uploads to the vulnerable endpoint

🧯 If You Can't Patch

  • Disable the Add File functionality completely in TPCMS admin panel
  • Implement strict file type validation and store uploaded files outside the web root directory

🔍 How to Verify

Check if Vulnerable:

Check if TPCMS version is 3.2 by examining the admin panel or version files. Test if PHP files can be uploaded via the Add File function.

Check Version:

# Check version in TPCMS admin panel or look for version.php file

Verify Fix Applied:

After updating, attempt to upload a PHP file via the Add File function - it should be rejected. Verify version shows 3.3 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to TPCMS upload directory
  • PHP file uploads via Add File function
  • Multiple failed upload attempts

Network Indicators:

  • POST requests to upload endpoints with PHP file content
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri="/admin/upload" OR uri="/addfile") AND file_extension="php"

📊 Metadata

CVE ID: CVE-2022-29624
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29624, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)