cbcvebase.
CVE-2022-24264
published 2022-01-31

CVE-2022-24264: Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.71%
93.1th percentile
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
cuppacmscuppacms

Detection & IOCsextracted from sources · hover to see the quote

url/administrator/components/table_manager/
path/components/table_manager/
commandsearch_word=')+union+all+select+1,md5('{{num}}'),3,4,5,6,7,8--+-&order_by=id&order_orientation=ASC&path=component%2Ftable_manager%2Fview%2Fcu_countries&uniqueClass=wrapper_content_518284
  • Detect SQL injection probe in POST body targeting the search_word parameter with UNION-based payload at /components/table_manager/
  • Successful exploitation returns an md5 hash value in the response body alongside the string 'td_available_languages'
  • Attack is authenticated; look for a preceding POST login request to / with user/password/language/task=login parameters before the injection request
  • Injection request uses Content-Type: application/x-www-form-urlencoded; charset=UTF-8 — flag POST requests to /components/table_manager/ with this content type containing single-quote and UNION SELECT patterns in the body
  • ·The vulnerability affects Cuppa CMS v1.0 specifically; the CPE is cpe:2.3:a:cuppacms:cuppacms:1.0
  • ·Exploitation requires prior authentication (valid CMS credentials); unauthenticated scanning will not trigger the vulnerability

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.