CVE-2020-7356
published 2020-08-06CVE-2020-7356: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.01%
96.1th percentile
CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cayin_technology | cayin_xpost | — | — |
| cayin_technology | cayin_xpost | — | — |
| cayin_technology | cayin_xpost | — | — |
| cayintech | xpost | — | — |
| cayintech | xpost | — | — |
| cayintech | xpost | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to wayfinder_meeting_input.jsp containing SQL metacharacters or injection patterns in the 'wayfinder_seqid' parameter — exploitation is unauthenticated and requires no session cookie. ↗
- →The exploit results in SYSTEM-level command execution via MySQL's bundled instance and Apache Tomcat; look for Tomcat/JSP spawning unexpected child processes (e.g., cmd.exe, powershell.exe) at SYSTEM privilege. ↗
- →Alert on reverse or bind shell payloads of type java/jsp_shell_reverse_tcp or java/jsp_shell_bind_tcp being delivered through this endpoint, as these are the only confirmed working payload types. ↗
- →The SQLi is blind; detect repeated, slightly varying GET requests to wayfinder_meeting_input.jsp in short succession (time-based or boolean-based blind SQLi enumeration pattern). ↗
- ·Exploitation targets Cayin xPost versions 2.5 and below only; verify the installed version before applying detections to avoid false positives on patched deployments. ↗
- ·The Metasploit module relies on static/default MySQL and Tomcat configuration bundled with xPost; detections based on default port/path assumptions may miss instances with non-default configurations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-08-06
Published