CVE-2020-17463
published 2020-08-13CVE-2020-17463: FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
90.04%
99.8th percentile
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thedaylightstudio | fuel_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(6)))ULQV)&fuel_inline=0↗
url/fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0↗
- →Detect time-based blind SQLi attempts against Fuel CMS by monitoring GET requests to /pages/items, /permissions/items, or /navigation/items containing SLEEP() payloads in the 'col' parameter. ↗
- →Alert on HTTP responses with duration >= 6 seconds from Fuel CMS endpoints combined with HTTP 200 status and body containing 'FUEL CMS', indicating successful time-based SQLi exploitation. ↗
- →Monitor for the X-Requested-With: XMLHttpRequest header combined with SQLi payloads in the 'col' parameter on Fuel CMS item listing endpoints, as the exploit requires this header. ↗
- →Use Shodan/FOFA queries to identify exposed Fuel CMS instances as potential targets: http.title:"fuel cms" or title="fuel cms". ↗
- →The exploit also affects /logs/items in addition to the three paths listed in the CVE description; monitor all four endpoints for malicious 'col' parameter values. ↗
- ·The exploit requires prior authentication to Fuel CMS; the SQLi is triggered only after a valid login session is established (default credentials admin/admin were used in the PoC template). ↗
- ·The vulnerability was patched in Fuel CMS version 1.4.8; systems running 1.4.7 or earlier remain vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fuel CMS SQL Injection Vulnerability
cisa·2021-12-10·CVSS 9.8
CVE-2020-17463 [CRITICAL] CWE-89 Fuel CMS SQL Injection Vulnerability
Vulnerability: Fuel CMS SQL Injection Vulnerability
Affected: Fuel CMS Fuel CMS
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-17463
Remediation Due Date: 2022-06-10
GHSA
GHSA-h5p3-6ppq-r5h3: FUEL CMS 1
ghsa_unreviewed·2022-05-24
CVE-2020-17463 [HIGH] CWE-89 GHSA-h5p3-6ppq-r5h3: FUEL CMS 1
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
VulnCheck
Fuel CMS SQL Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-17463 [CRITICAL] CWE-89 Fuel CMS SQL Injection Vulnerability
Fuel CMS SQL Injection Vulnerability
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Affected: Fuel CMS Fuel CMS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-10
No detection rules found.
Exploit-DB
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)
exploitdb·2020-08-11·CVSS 9.8
CVE-2020-17463 [CRITICAL] Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)
---
# Exploit Title: Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)
# Google Dork: -
# Date: 2020-08-01
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.7.zip
# Version: 1.4.7
# Tested on: Linux Ubuntu 18.04
# CVE: CVE-2020-17463
1. Description:
Fuel CMS 1.4.7 allows SQL Injection via parameter 'col' in pages/items, permissions/items, navigation/items and logs/items
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
2. Proof of Concept:
In Burpsuite intercept the request from one of the affected pages with 'col'
Nuclei
Fuel CMS 1.4.7 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-17463 [CRITICAL] Fuel CMS 1.4.7 - SQL Injection
Fuel CMS 1.4.7 - SQL Injection
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Template:
id: CVE-2020-17463
info:
name: Fuel CMS 1.4.7 - SQL Injection
author: Thirukrishnan
severity: critical
description: |
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
remediation: Fixed in version 115
reference:
- https://www.exploit-db.com/exploits/48741
- https://nvd.nist.gov/vuln/detail/CVE-2020-17463
- http://packetstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.htmlhttps://cwe.mitre.org/data/definitions/89.htmlhttps://getfuelcms.comhttps://github.com/daylightstudio/FUEL-CMS/archive/master.ziphttps://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.8http://packetstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.htmlhttps://cwe.mitre.org/data/definitions/89.htmlhttps://getfuelcms.comhttps://github.com/daylightstudio/FUEL-CMS/archive/master.ziphttps://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.8https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17463
2020-08-13
Published
2021-12-10
Added to CISA KEV
Exploited in the wild