cbcvebase.
CVE-2022-23898
published 2022-03-03

CVE-2022-23898: MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.73%
93.9th percentile
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.

Affected

1 ranges
VendorProductVersion rangeFixed in
mingsoftmcms

Detection & IOCsextracted from sources · hover to see the quote

url/cms/content/list
commandcategoryId=1' and updatexml(1,concat(0x7e,md5(999999999),0x7e),1) and 'zzz'='zzz
  • Detect exploitation attempts by monitoring POST requests to /cms/content/list with SQL injection payloads in the categoryId parameter, specifically using updatexml() error-based injection.
  • Confirm successful exploitation by checking HTTP response body for the partial MD5 hash string 'c8c605999f3d8352d7bb792cf3fdb25' (md5(999999999) truncated), which is the error-based SQLi canary value.
  • Identify MCMS-hosted targets via Shodan using favicon hash 1464851260 or FOFA query icon_hash="1464851260".
  • The vulnerable parameter is categoryId in the file IContentDao.xml; monitor SQL error responses (e.g., updatexml/XPATH errors) in responses to requests targeting this endpoint.
  • ·The exploit uses a numeric canary value (999999999) whose MD5 is computed at runtime; the response match string 'c8c605999f3d8352d7bb792cf3fdb25' is the first 31 characters of md5(999999999) as returned inside an XPATH error — detection rules should account for this truncation.
  • ·The vulnerability is unauthenticated (PR:N, UI:N per CVSS), meaning no session or login is required to exploit the /cms/content/list endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.