cbcvebase.
CVE-2022-38296
published 2022-09-12

CVE-2022-38296: Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.73%
88.5th percentile
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.

Affected

1 ranges
VendorProductVersion rangeFixed in
cuppacmscuppacms

Detection & IOCsextracted from sources · hover to see the quote

url/js/jquery_file_upload/server/php/
url/js/filemanager/api/index.php
path/media/{{randstr}}.php
command{"from":"//{{filename}}","to":"//{{randstr}}.php","action":"rename"}
  • Exploit uploads a file with a .jpg extension to the jQuery File Upload endpoint, then renames it to a .php file via the File Manager API — monitor for POST requests to /js/jquery_file_upload/server/php/ followed by a rename action to a .php extension via /js/filemanager/api/index.php.
  • The rename action payload uses JSON with keys 'from', 'to', and 'action':'rename' — detect POST requests to /js/filemanager/api/index.php with a JSON body containing 'action':'rename' and a destination filename ending in .php.
  • After the rename, the webshell is accessed under /media/<name>.php — monitor for GET requests to /media/*.php on Cuppa CMS instances.
  • The multipart upload uses boundary '----WebKitFormBoundary9MZjlIG8fVPjrlCI' and sets 'unique_name' to 'true' — this specific boundary string can be used as a network signature for exploit attempts.
  • The probe/validation string 'ed6bf8b1b4b8e64836455fe32b958c2c' is expected in the HTTP response body of the executed PHP webshell — presence of this string in a response from /media/*.php confirms successful exploitation.
  • ·The exploit is a multi-step, 3-request chain: (1) upload disguised .jpg to jQuery File Upload endpoint, (2) rename to .php via File Manager API, (3) GET the resulting .php file. All three steps must succeed for RCE.
  • ·The vulnerability is tagged 'intrusive' — detection/scanning for this CVE will result in actual file uploads and renames on the target system.
  • ·No authentication is required to exploit this vulnerability (PR:N in CVSS), meaning the file upload and rename endpoints are publicly accessible.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_oracle7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.