cbcvebase.
CVE-2022-26271
published 2022-03-28

CVE-2022-26271: 74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php.

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.63%
90.6th percentile
74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
74cms74cms

Detection & IOCsextracted from sources · hover to see the quote

path/index/download/index?name=index.php&url=../../application/database.php
path\index\controller\Download.php
  • HTTP GET request to /index/download/index with path traversal in the 'url' parameter targeting application/database.php indicates exploitation attempt
  • Response body containing all of '<?php', 'return array', 'password', and 'database' simultaneously indicates successful arbitrary file read of database config
  • Successful exploitation returns Content-Type: application/octet-stream; monitor for this content type on download endpoints combined with path traversal sequences in query parameters
  • Shodan and FOFA fingerprints for exposed 74cms instances: search http.html:"74cms" or app="74cms"
  • ·Vulnerability is unauthenticated (PR:N, UI:N) and network-accessible (AV:N), meaning no credentials are required to exploit the arbitrary file read via the $url parameter
  • ·The vulnerable parameter is $url in the Download controller; any path traversal sequence passed to this parameter may read arbitrary files accessible to the web process

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.