CVE-2022-38296
published 2022-09-12CVE-2022-38296: Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.73%
88.5th percentile
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cuppacms | cuppacms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uploads a file with a .jpg extension to the jQuery File Upload endpoint, then renames it to a .php file via the File Manager API — monitor for POST requests to /js/jquery_file_upload/server/php/ followed by a rename action to a .php extension via /js/filemanager/api/index.php. ↗
- →The rename action payload uses JSON with keys 'from', 'to', and 'action':'rename' — detect POST requests to /js/filemanager/api/index.php with a JSON body containing 'action':'rename' and a destination filename ending in .php. ↗
- →After the rename, the webshell is accessed under /media/<name>.php — monitor for GET requests to /media/*.php on Cuppa CMS instances. ↗
- →The multipart upload uses boundary '----WebKitFormBoundary9MZjlIG8fVPjrlCI' and sets 'unique_name' to 'true' — this specific boundary string can be used as a network signature for exploit attempts. ↗
- →The probe/validation string 'ed6bf8b1b4b8e64836455fe32b958c2c' is expected in the HTTP response body of the executed PHP webshell — presence of this string in a response from /media/*.php confirms successful exploitation. ↗
- ·The exploit is a multi-step, 3-request chain: (1) upload disguised .jpg to jQuery File Upload endpoint, (2) rename to .php via File Manager API, (3) GET the resulting .php file. All three steps must succeed for RCE. ↗
- ·The vulnerability is tagged 'intrusive' — detection/scanning for this CVE will result in actual file uploads and renames on the target system. ↗
- ·No authentication is required to exploit this vulnerability (PR:N in CVSS), meaning the file upload and rename endpoints are publicly accessible. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_oracle7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w9ph-f2p6-3wqx: Cuppa CMS v1
ghsa_unreviewed·2022-09-13
CVE-2022-38296 [CRITICAL] CWE-434 GHSA-w9ph-f2p6-3wqx: Cuppa CMS v1
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
VulnCheck
cuppacms cuppacms Unrestricted Upload of File with Dangerous Type
vulncheck·2022·CVSS 9.8
CVE-2022-38296 [CRITICAL] cuppacms cuppacms Unrestricted Upload of File with Dangerous Type
cuppacms cuppacms Unrestricted Upload of File with Dangerous Type
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
Affected: cuppacms cuppacms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-07&host_type=src&vulnerability=cve-2022-38296; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-08&host_type=src&vulnerability=cve-2022-38296; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-09&host_type=src&vulnerability=cve-2022-38296; https://dashboard.sh
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Studio (Apache Spark) — CVE-2021-38296
vendor_oracle·2022-07-15·CVSS 7.5
CVE-2021-38296 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Studio (Apache Spark) — CVE-2021-38296
Oracle Oracle Financial Services Applications Risk Matrix: Studio (Apache Spark) vulnerability
CVE: CVE-2021-38296
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
No detection rules found.
Nuclei
Cuppa CMS v1.0 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2022-38296 [CRITICAL] Cuppa CMS v1.0 - Arbitrary File Upload
Cuppa CMS v1.0 - Arbitrary File Upload
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
Template:
id: CVE-2022-38296
info:
name: Cuppa CMS v1.0 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
impact: |
Successful exploitation of this vulnerability can lead to remote code execution and compromise of the affected system.
remediation: |
Apply the latest patch or upgrade to a newer version of Cuppa CMS to mitigate this vulnerability.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-38296
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:
2022-09-12
Published
Exploited in the wild