CVE-2022-28117
published 2022-04-28CVE-2022-28117: A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests…
PriorityP346medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EXPLOIT
EPSS
21.95%
97.3th percentile
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| naviwebs | navigate_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →SSRF payload is injected via the POST body parameter 'url' to the endpoint /navigate/navigate.php?fid=dashboard&act=json&oper=feed. Monitor for non-HTTP/HTTPS schemes (e.g., file://) in this parameter. ↗
- →The exploit abuses the CMS cache feature: the SSRF response is stored as an MD5 hash of the requested URL with a .feed extension under /private/1/cache/. Monitor GET requests to this path pattern for exfiltration. ↗
- →The exploit requires authentication. Monitor for login attempts followed immediately by POST requests to the feed endpoint, indicating automated exploitation. The session cookie name is NVSID. ↗
- →The CSRF token is extracted from the X-Csrf-Token response header during login and reused in subsequent exploit requests. Monitor for X-Csrf-Token header usage in POST requests to navigate.php. ↗
- →Successful exploitation of file:///etc/passwd via SSRF will result in a response body matching the regex root:.*:0:0: in the cached .feed file. ↗
- ·Exploitation requires valid CMS credentials (authenticated SSRF). The vulnerability is only exploitable by users who can log in to Navigate CMS. ↗
- ·The cached SSRF response file path is deterministic: it is the MD5 hash of the requested URL with a .feed extension under /private/1/cache/. Knowing the payload URL allows direct retrieval of the cached response. ↗
- ·The vulnerability affects Navigate CMS version 2.9.4 and earlier. Version 2.9.5 contains the fix. ↗
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
exploitdb·2022-05-11·CVSS 4.9
CVE-2022-28117 [MEDIUM] Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
---
#!/usr/bin/env python3
# Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
# Exploit Author: cheshireca7
# Vendor Homepage: https://www.navigatecms.com/
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download
# Version: 2.9.4 and earlier
# Tested on: Ubuntu 20.04
# CVE: CVE-2022-28117
#
# -*- coding: utf-8 -*-
import requests as r, signal
from emoji import emojize
from argparse import ArgumentParser
from sys import exit
from requests_toolbelt.multipart.encoder import MultipartEncoder
from hashlib import md5
from time import sleep
from base64 import b64decode,b64encode
from colorama import Fore, Style
#proxies = {'http':'h
Nuclei
Navigate CMS 2.9.4 - Server-Side Request Forgery
nuclei·CVSS 4.9
CVE-2022-28117 [MEDIUM] Navigate CMS 2.9.4 - Server-Side Request Forgery
Navigate CMS 2.9.4 - Server-Side Request Forgery
Navigate CMS 2.9.4 is susceptible to server-side request forgery via feed_parser class. This can allow a remote attacker to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter, thus enabling possible theft of sensitive information, data modification, and/or unauthorized operation execution.
Template:
id: CVE-2022-28117
info:
name: Navigate CMS 2.9.4 - Server-Side Request Forgery
author: theabhinavgaur
severity: medium
description: |
Navigate CMS 2.9.4 is susceptible to server-side request forgery via feed_parser class. This can allow a remote attacker to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter, thus enabling possible thef
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167063/Navigate-CMS-2.9.4-Server-Side-Request-Forgery.htmlhttps://www.navigatecms.com/en/blog/development/navigate_cms_update_2_9_5https://www.youtube.com/watch?v=4kHW95CMfD0http://packetstormsecurity.com/files/167063/Navigate-CMS-2.9.4-Server-Side-Request-Forgery.htmlhttps://www.navigatecms.com/en/blog/development/navigate_cms_update_2_9_5https://www.youtube.com/watch?v=4kHW95CMfD0
2022-04-28
Published