CVE-2022-36536
published 2022-09-16CVE-2022-36536: An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.20%
91.4th percentile
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| syncovery | syncovery | >= 8.00 < 9.48j | 9.48j |
Detection & IOCsextracted from sources · hover to see the quote
- →Session tokens for Syncovery are base64-encoded timestamps in m/d/Y H:M:S format (e.g. base64('01/15/2023 14:32:01')). Detect authentication attempts using predictable/brute-forced tokens by monitoring for rapid sequential POST requests to post_applogin.php with base64-encoded timestamp values as session tokens. ↗
- →Syncovery v8.x has no logout functionality, meaning captured or brute-forced session tokens remain valid until system reboot. Investigate long-lived Syncovery Web-GUI sessions as potentially compromised. ↗
- →Brute-force exploitation generates all possible tokens for every second across a configurable day range (default: today and yesterday). Alert on high-volume POST requests to the Syncovery Web-GUI login endpoint within a short time window, indicative of per-second token enumeration. ↗
- ·The brute-force window is configurable via the DAYS parameter (default=1, covering today and yesterday). Defenders should be aware that attackers may extend this window to cover longer periods of potential login times, increasing the number of tokens tested. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2022-09-16
Published