cbcvebase.
CVE-2022-36536
published 2022-09-16

CVE-2022-36536: An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.20%
91.4th percentile
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.

Affected

1 ranges
VendorProductVersion rangeFixed in
syncoverysyncovery>= 8.00 < 9.48j9.48j

Detection & IOCsextracted from sources · hover to see the quote

pathpost_applogin.php
  • Session tokens for Syncovery are base64-encoded timestamps in m/d/Y H:M:S format (e.g. base64('01/15/2023 14:32:01')). Detect authentication attempts using predictable/brute-forced tokens by monitoring for rapid sequential POST requests to post_applogin.php with base64-encoded timestamp values as session tokens.
  • Syncovery v8.x has no logout functionality, meaning captured or brute-forced session tokens remain valid until system reboot. Investigate long-lived Syncovery Web-GUI sessions as potentially compromised.
  • Brute-force exploitation generates all possible tokens for every second across a configurable day range (default: today and yesterday). Alert on high-volume POST requests to the Syncovery Web-GUI login endpoint within a short time window, indicative of per-second token enumeration.
  • ·The brute-force window is configurable via the DAYS parameter (default=1, covering today and yesterday). Defenders should be aware that attackers may extend this window to cover longer periods of potential login times, increasing the number of tokens tested.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.