cbcvebase.
CVE-2022-37190
published 2022-09-13

CVE-2022-37190: CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.77%
98.6th percentile
CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
cuppacmscuppacms

Detection & IOCsextracted from sources · hover to see the quote

url/api/index.php
commandaction=system&function=exec&cmd=cat+/etc/passwd
path/components/table_manager/
pathpath=component%2Ftable_manager%2Fview%2Fcu_api_keys
  • Exploit requires authentication first via POST login, then retrieves an API key from the table_manager component, and finally calls /api/index.php with the key header to execute OS commands.
  • The exploit POST to /api/index.php uses a custom 'key' HTTP header carrying the extracted API key; monitor for this non-standard header on that endpoint.
  • RCE payload uses action=system&function=exec parameters; alert on POST requests to /api/index.php containing these parameter names.
  • Successful exploitation returns /etc/passwd content in the HTTP response body; regex match on 'root:.*:0:0:' or 'postgres:.*:1001:' in responses from /api/index.php can confirm exploitation.
  • Login step posts credentials to the application root with task=login; monitor for subsequent rapid requests to /components/table_manager/ and /api/index.php from the same source as a multi-step attack chain indicator.
  • ·Exploitation requires valid credentials (authenticated RCE); unauthenticated access alone is insufficient to trigger the vulnerability.
  • ·The attack is a 3-step chain: (1) login to obtain session, (2) retrieve API key from table_manager, (3) use API key in 'key' header to call /api/index.php — all three requests must succeed for RCE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.