CVE-2022-37190
published 2022-09-13CVE-2022-37190: CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.77%
98.6th percentile
CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cuppacms | cuppacms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=system&function=exec&cmd=cat+/etc/passwd
path/components/table_manager/
pathpath=component%2Ftable_manager%2Fview%2Fcu_api_keys
- →Exploit requires authentication first via POST login, then retrieves an API key from the table_manager component, and finally calls /api/index.php with the key header to execute OS commands.
- →The exploit POST to /api/index.php uses a custom 'key' HTTP header carrying the extracted API key; monitor for this non-standard header on that endpoint.
- →RCE payload uses action=system&function=exec parameters; alert on POST requests to /api/index.php containing these parameter names.
- →Successful exploitation returns /etc/passwd content in the HTTP response body; regex match on 'root:.*:0:0:' or 'postgres:.*:1001:' in responses from /api/index.php can confirm exploitation.
- →Login step posts credentials to the application root with task=login; monitor for subsequent rapid requests to /components/table_manager/ and /api/index.php from the same source as a multi-step attack chain indicator.
- ·Exploitation requires valid credentials (authenticated RCE); unauthenticated access alone is insufficient to trigger the vulnerability. ↗
- ·The attack is a 3-step chain: (1) login to obtain session, (2) retrieve API key from table_manager, (3) use API key in 'key' header to call /api/index.php — all three requests must succeed for RCE.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Cuppa CMS v1.0 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2022-37190 [HIGH] Cuppa CMS v1.0 - Remote Code Execution
Cuppa CMS v1.0 - Remote Code Execution
CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.
Template:
id: CVE-2022-37190
info:
name: Cuppa CMS v1.0 - Remote Code Execution
author: theamanrawat
severity: high
description: |
CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patch or update to a patched version of Cuppa CMS v1.0 to mitigate this vulnerability.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nv
2022-09-13
Published