cbcvebase.
CVE-2022-22833
published 2022-02-06

CVE-2022-22833: An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request.

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.48%
95.5th percentile
An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request.

Affected

1 ranges
VendorProductVersion rangeFixed in
servisnettessa

Detection & IOCsextracted from sources · hover to see the quote

url/js/app.js
path/js/app.js
path/data-service/users/[userid]
commandGET /js/app.js
  • Detect unauthenticated GET requests to /js/app.js — this file exposes MQTT credentials, Authorization header defaults, baseURL, and session logic used for privilege escalation.
  • Look for Authorization headers of the form 'Basic <base64(username:usersessionid)>' — the exploit constructs tokens by base64-encoding username and active sessionId extracted from the API, not a password.
  • Monitor POST requests to the users endpoint with JSON body containing role_id:1 and role_name 'Sistem Admin' — this is the payload used to add a rogue sysadmin account.
  • Detect the hardcoded encrypted password value 'hxZ8I33nmy9PZNhYhms/Dg==' (plaintext: 1111111111) in POST bodies to the users API — this is the fixed password used when creating the rogue admin user.
  • Alert on responses from /js/app.js containing the string 'connectionMQTT' — this indicates MQTT broker credentials (host, port, clientId, username, password) are exposed in the JavaScript file.
  • Alert on responses from /js/app.js containing 'default.a.defaults.headers.post' — this string indicates the hardcoded Authorization header value is present and the target is vulnerable.
  • Alert on responses from /js/app.js containing 'user.usersessionid' — the exploit uses this as its primary vulnerability check indicator.
  • Monitor POST requests to the signin endpoint (e.g. /api/auth/signin) with JSON credentials followed immediately by enumeration GET requests to /users/<id> in sequence — this is the exploit's login-then-enumerate-admin pattern.
  • ·The Metasploit module for CVE-2022-22833 (MQTT Credentials Dump) targets port 443 with SSL by default; defenders should also check for the same exposure on non-standard ports if the application is deployed differently.
  • ·The privilege escalation exploit (CVE-2022-22832, exploit-db 50712) requires an active admin session to be present — the rogue admin user can only be added if an admin is currently logged in and their sessionId is live.
  • ·The MQTT credential dump is fully unauthenticated — no prior credentials are needed to retrieve MQTT broker connection details from /js/app.js.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.