PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability ([CWE-74]()).
Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.

## Impact

An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.

## Solution

**When XMLRPC API is NOT required: Disable XMLRPC API**

* If XMLRPC API is used as CGI/FastCGI
* Delete `mt-xmlrpc.cgi` or remove execute permission of `mt-xmlrpc.cgi`
* According to the developer, when PowerCMS environment variable `XMLRPCScript` is configured, the file may be renamed. In that case, implement this countermeasure to that renamed file
* If XMLRPC API is used as PSGI
* Configure environment variable `RestrictedPSGIApp `to prohibit XMLRPC application: `RestrictedPSGIApp xmlrpc`
**When XMLRPC API should be kept available: Apply the patch**
Apply the patch according to the information provided by the developer.

## Products Affected

* PowerCMS 6.021 and earlier (PowerCMS 6 Series)
* PowerCMS 5.21 and earlier (PowerCMS 5 Series)
* PowerCMS 4.51 and earlier (PowerCMS 4 Series)
The developer states that PowerCMS 3 Series and earlier, which are unsupported (End-of-Life, EOL) versions, are affected too.Read More