Phantom Bug: The Curious Case of CVE-2022-50807
Vulnerability ID: CVE-2022-50807
CVSS Score: 0.0 (Rejected)
Published: 2026-01-14
A deep dive into a 'vulnerability' that was assigned, feared, and ultimately rejected. Originally classified as a Critical XPath Injection in Concrete CMS, further analysis revealed it to be a simple Full Path Disclosure triggered only when an administrator leaves Debug Mode enabled.
TL;DR
Researcher threw SQLi payloads at a CMS. The CMS crashed and showed a stack trace because Debug Mode was on. Researcher called it XPath Injection. NVD called it Critical. The CNA eventually realized it was just a configuration error and rejected it.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-209 (Sensitive Information via Error Message)
- Attack Vector: Network (URL Parameter)
- CVSS: 0.0 (Rejected)
- Status: REJECTED
- Original Claim: XPath Injection (CWE-643)
- Actual Impact: Full Path Disclosure (FPD)
Affected Systems
- Concrete CMS 9.1.3
-
Concrete CMS: = 9.1.3 (Fixed in:
N/A)
Exploit Details
- Exploit-DB: EDB-51144 - Concrete5 CME v9.1.3 - Xpath injection
Mitigation Strategies
- Disable Debug Mode in Production
- Configure custom error pages (404/500)
- Implement WAF to block common injection characters in URLs
Remediation Steps:
- Locate php.ini configuration file.
- Set 'display_errors' to 'Off'.
- Log into Concrete CMS Dashboard.
- Navigate to System & Settings > Optimization > Debug.
- Set 'Debug Level' to 'Hide errors from visitors'.
References
Read the full report for CVE-2022-50807 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)