cbcvebase.
CVE-2020-17463
published 2020-08-13

CVE-2020-17463: FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
90.04%
99.8th percentile
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.

Affected

1 ranges
VendorProductVersion rangeFixed in
thedaylightstudiofuel_cms

Detection & IOCsextracted from sources · hover to see the quote

url/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(6)))ULQV)&fuel_inline=0
url/fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0
path/pages/items
path/permissions/items
path/navigation/items
othercol=location AND (SELECT 1340 FROM (SELECT(SLEEP(5)))ULQV)
  • Detect time-based blind SQLi attempts against Fuel CMS by monitoring GET requests to /pages/items, /permissions/items, or /navigation/items containing SLEEP() payloads in the 'col' parameter.
  • Alert on HTTP responses with duration >= 6 seconds from Fuel CMS endpoints combined with HTTP 200 status and body containing 'FUEL CMS', indicating successful time-based SQLi exploitation.
  • Monitor for the X-Requested-With: XMLHttpRequest header combined with SQLi payloads in the 'col' parameter on Fuel CMS item listing endpoints, as the exploit requires this header.
  • Use Shodan/FOFA queries to identify exposed Fuel CMS instances as potential targets: http.title:"fuel cms" or title="fuel cms".
  • The exploit also affects /logs/items in addition to the three paths listed in the CVE description; monitor all four endpoints for malicious 'col' parameter values.
  • ·The exploit requires prior authentication to Fuel CMS; the SQLi is triggered only after a valid login session is established (default credentials admin/admin were used in the PoC template).
  • ·The vulnerability was patched in Fuel CMS version 1.4.8; systems running 1.4.7 or earlier remain vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.