CVE-2022-24266
published 2022-01-31CVE-2022-24266: Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.39%
92.8th percentile
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cuppacms | cuppacms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/components/table_manager/
commandorder_by=id`,if(SUBSTRING('test',1,1)='t',sleep(6),sleep(0))--+-&path=component%2Ftable_manager%2Fview%2Fcu_users&uniqueClass=wrapper_content_919044
- →Detect time-based blind SQL injection attempts against Cuppa CMS by monitoring POST requests to /components/table_manager/ containing sleep() calls in the order_by parameter.
- →Alert on POST requests to /components/table_manager/ with Content-Type: application/x-www-form-urlencoded; charset=UTF-8 where the order_by parameter contains SQL metacharacters (backtick, comment sequences --+-).
- →Exploitation is authenticated; monitor for login POST to / with parameters user, password, language, task=login immediately followed by a POST to /components/table_manager/ — this two-step sequence is characteristic of the attack chain.
- →Successful exploitation produces a response duration >= 6 seconds with HTTP 200, Content-Type text/html, and body containing the string 'list_admin_table'.
- ·The vulnerability requires prior authentication; the attacker must first obtain valid credentials and complete a login step before injecting via order_by.
- ·The SQL injection payload uses a 6-second sleep threshold for detection; time-based detection rules should account for network latency and set the threshold accordingly (template uses @timeout: 20s for the injection request).
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Cuppa CMS v1.0 - SQL injection
nuclei·CVSS 7.5
CVE-2022-24266 [HIGH] Cuppa CMS v1.0 - SQL injection
Cuppa CMS v1.0 - SQL injection
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
Template:
id: CVE-2022-24266
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
remediation: |
Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/de
No writeups or analysis indexed.
2022-01-31
Published