cbcvebase.
CVE-2022-28117
published 2022-04-28

CVE-2022-28117: A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests…

PriorityP346medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EXPLOIT
EPSS
21.95%
97.3th percentile
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
naviwebsnavigate_cms

Detection & IOCsextracted from sources · hover to see the quote

url/navigate/login.php
url/navigate/navigate.php?fid=dashboard&act=json&oper=feed
url/navigate/private/1/cache/0f1726ba83325848d47e216b29d5ab99.feed
path/navigate/private/1/cache/*.feed
commandurl=file:///etc/passwd
cookieNVSID
  • SSRF payload is injected via the POST body parameter 'url' to the endpoint /navigate/navigate.php?fid=dashboard&act=json&oper=feed. Monitor for non-HTTP/HTTPS schemes (e.g., file://) in this parameter.
  • The exploit abuses the CMS cache feature: the SSRF response is stored as an MD5 hash of the requested URL with a .feed extension under /private/1/cache/. Monitor GET requests to this path pattern for exfiltration.
  • The exploit requires authentication. Monitor for login attempts followed immediately by POST requests to the feed endpoint, indicating automated exploitation. The session cookie name is NVSID.
  • The CSRF token is extracted from the X-Csrf-Token response header during login and reused in subsequent exploit requests. Monitor for X-Csrf-Token header usage in POST requests to navigate.php.
  • Successful exploitation of file:///etc/passwd via SSRF will result in a response body matching the regex root:.*:0:0: in the cached .feed file.
  • ·Exploitation requires valid CMS credentials (authenticated SSRF). The vulnerability is only exploitable by users who can log in to Navigate CMS.
  • ·The cached SSRF response file path is deterministic: it is the MD5 hash of the requested URL with a .feed extension under /private/1/cache/. Knowing the payload URL allows direct retrieval of the cached response.
  • ·The vulnerability affects Navigate CMS version 2.9.4 and earlier. Version 2.9.5 contains the fix.

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.