cbcvebase.
CVE-2022-31854
published 2022-07-07

CVE-2022-31854: Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.

PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
24.94%
97.6th percentile
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.

Affected

1 ranges
VendorProductVersion rangeFixed in
codologiccodoforum

Detection & IOCsextracted from sources · hover to see the quote

url/admin/?page=login
url/admin/index.php?page=config
path/sites/default/assets/img/attachments/
path/sites/default/assets/img/attachments/{{randstr}}.php
filename<random>.php
otherContent-Type: application/x-httpd-php
commandnc <ip> <port> >/tmp/f
cookiecf=0; user_id=1; PHPSESSID=<session>
regexname="CSRF_token" value="([0-9a-zA-Z]+)"/>
  • Detect PHP file upload via the forum_logo multipart field to /admin/index.php?page=config — a .php filename in this field is the exploit trigger.
  • Monitor HTTP GET requests to /sites/default/assets/img/attachments/*.php — successful exploitation results in a 200 response for an uploaded PHP webshell at this path.
  • Exploitation is authenticated; look for admin session cookie (cf=0, user_id=1) combined with a POST to the global config page uploading a PHP file.
  • The nuclei template validates exploitation by checking for the magic string a63fd49130de6406a66600cd8caa162f in the response body of the uploaded PHP file.
  • The exploit uses a local proxy at 127.0.0.1:8080 for traffic interception; in lab/red-team contexts, look for this proxy configuration alongside exploit traffic.
  • Post-upload RCE payload uses a netcat reverse shell writing to /tmp/f; monitor for process creation of nc with outbound connections following a Codoforum admin config POST.
  • ·Exploitation requires valid admin credentials — this is an authenticated vulnerability (PR:H). Brute-force or credential theft must precede the file upload step.
  • ·The uploaded PHP shell lands under /sites/default/assets/img/attachments/ — this directory must be web-accessible and not have PHP execution disabled for the RCE to succeed.
  • ·The exploit extracts a CSRF token from the admin config page before uploading; detections should account for the two-step flow (GET config page → POST with CSRF token).

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.