cbcvebase.
CVE-2022-24265
published 2022-01-31

CVE-2022-24265: Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.71%
93.1th percentile
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
cuppacmscuppacms

Detection & IOCsextracted from sources · hover to see the quote

url/administrator/components/menu/
path/components/menu/
commandpath=component%2Fmenu%2F%26menu_filter%3D3'+and+sleep(6)--+-&data_get=eyJtZW51X2ZpbHRlciI6IjMifQ%3D%3D&uniqueClass=wrapper_content_906185
  • Detect time-based blind SQL injection attempts against Cuppa CMS by monitoring POST requests to /components/menu/ containing sleep() payloads in the 'path' parameter, with response times >= 6 seconds.
  • Alert on POST requests to /components/menu/ where the body contains the string 'menu_filter' combined with SQL metacharacters (e.g., single quote, double-dash comment sequence).
  • Successful exploitation responses contain the string 'menu/html/edit.php' in the response body; correlate with anomalous response latency to confirm time-based SQLi.
  • The attack requires prior authentication; monitor for login POST to / with parameters user=, password=, language=en, task=login immediately followed by the injection request to /components/menu/.
  • The data_get parameter carries a base64-encoded JSON payload; the value eyJtZW51X2ZpbHRlciI6IjMifQ== (decodes to {"menu_filter":"3"}) is a static indicator present in exploit attempts.
  • ·The vulnerability is authenticated (requires valid CMS credentials); unauthenticated scanning will not reach the vulnerable endpoint.
  • ·Detection relies on a time-based (sleep) technique with a 6-second threshold; network latency or server load may cause false positives or false negatives. The Nuclei template sets a 20-second request timeout to accommodate this.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.