CVE-2022-31854
published 2022-07-07CVE-2022-31854: Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
24.94%
97.6th percentile
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codologic | codoforum | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/sites/default/assets/img/attachments/{{randstr}}.php
filename<random>.php
otherContent-Type: application/x-httpd-php
regexname="CSRF_token" value="([0-9a-zA-Z]+)"/>
- →Detect PHP file upload via the forum_logo multipart field to /admin/index.php?page=config — a .php filename in this field is the exploit trigger.
- →Monitor HTTP GET requests to /sites/default/assets/img/attachments/*.php — successful exploitation results in a 200 response for an uploaded PHP webshell at this path.
- →Exploitation is authenticated; look for admin session cookie (cf=0, user_id=1) combined with a POST to the global config page uploading a PHP file. ↗
- →The nuclei template validates exploitation by checking for the magic string a63fd49130de6406a66600cd8caa162f in the response body of the uploaded PHP file.
- →The exploit uses a local proxy at 127.0.0.1:8080 for traffic interception; in lab/red-team contexts, look for this proxy configuration alongside exploit traffic. ↗
- →Post-upload RCE payload uses a netcat reverse shell writing to /tmp/f; monitor for process creation of nc with outbound connections following a Codoforum admin config POST. ↗
- ·Exploitation requires valid admin credentials — this is an authenticated vulnerability (PR:H). Brute-force or credential theft must precede the file upload step. ↗
- ·The uploaded PHP shell lands under /sites/default/assets/img/attachments/ — this directory must be web-accessible and not have PHP execution disabled for the RCE to succeed. ↗
- ·The exploit extracts a CSRF token from the admin config page before uploading; detections should account for the two-step flow (GET config page → POST with CSRF token).
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CodoForum v5.1 - Remote Code Execution (RCE)
exploitdb·2022-07-21·CVSS 7.2
CVE-2022-31854 [HIGH] CodoForum v5.1 - Remote Code Execution (RCE)
CodoForum v5.1 - Remote Code Execution (RCE)
---
# Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE)
# Date: 06/07/2022
# Exploit Author: Krish Pandey (@vikaran101)
# Vendor Homepage: https://codoforum.com/
# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
# Version: CodoForum v5.1
# Tested on: Ubuntu 20.04
# CVE: CVE-2022-31854
#!/usr/bin/python3
import requests
import time
import optparse
import random
import string
banner = """
______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || |
| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _|
\____| \_/ |_____| |_____|\___/
Nuclei
Codoforum 5.1 - Arbitrary File Upload
nuclei·CVSS 7.2
CVE-2022-31854 [HIGH] Codoforum 5.1 - Arbitrary File Upload
Codoforum 5.1 - Arbitrary File Upload
Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2022-31854
info:
name: Codoforum 5.1 - Arbitrary File Upload
author: theamanrawat
severity: high
description: |
Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an at
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167782/CodoForum-5.1-Remote-Code-Execution.htmlhttps://codoforum.comhttps://github.com/Vikaran101/CVE-2022-31854/blob/main/exploit.pyhttps://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bchttp://packetstormsecurity.com/files/167782/CodoForum-5.1-Remote-Code-Execution.htmlhttps://codoforum.comhttps://github.com/Vikaran101/CVE-2022-31854/blob/main/exploit.pyhttps://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc
2022-07-07
Published