cbcvebase.
CVE-2022-24266
published 2022-01-31

CVE-2022-24266: Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.39%
92.8th percentile
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
cuppacmscuppacms

Detection & IOCsextracted from sources · hover to see the quote

url/administrator/components/table_manager/
path/components/table_manager/
commandorder_by=id`,if(SUBSTRING('test',1,1)='t',sleep(6),sleep(0))--+-&path=component%2Ftable_manager%2Fview%2Fcu_users&uniqueClass=wrapper_content_919044
  • Detect time-based blind SQL injection attempts against Cuppa CMS by monitoring POST requests to /components/table_manager/ containing sleep() calls in the order_by parameter.
  • Alert on POST requests to /components/table_manager/ with Content-Type: application/x-www-form-urlencoded; charset=UTF-8 where the order_by parameter contains SQL metacharacters (backtick, comment sequences --+-).
  • Exploitation is authenticated; monitor for login POST to / with parameters user, password, language, task=login immediately followed by a POST to /components/table_manager/ — this two-step sequence is characteristic of the attack chain.
  • Successful exploitation produces a response duration >= 6 seconds with HTTP 200, Content-Type text/html, and body containing the string 'list_admin_table'.
  • ·The vulnerability requires prior authentication; the attacker must first obtain valid credentials and complete a login step before injecting via order_by.
  • ·The SQL injection payload uses a 6-second sleep threshold for detection; time-based detection rules should account for network latency and set the threshold accordingly (template uses @timeout: 20s for the injection request).

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.