cbcvebase.
CVE-2023-34753
published 2023-06-14

CVE-2023-34753: bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit.

PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.23%
89.8th percentile
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit.

Affected

1 ranges
VendorProductVersion rangeFixed in
bloofoxbloofoxcms

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php?mode=settings&page=tmpl&action=edit
path/admin/index.php
commandtid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+
  • Detect time-based blind SQL injection attempts against bloofoxCMS by monitoring POST requests to /admin/index.php?mode=settings&page=tmpl&action=edit containing SLEEP() payloads in the tid parameter.
  • Look for response delays of 6 seconds or more on POST requests to the bloofoxCMS template edit endpoint as an indicator of successful time-based SQLi exploitation.
  • Identify bloofoxCMS instances exposed on the internet using the FOFA fingerprint 'Powered by bloofoxCMS' in page content.
  • Confirm exploitation by checking that the response body contains 'bloofoxCMS Admincenter' alongside a Content-Type of text/html after the injected request.
  • ·The Nuclei template is tagged 'authenticated', meaning automated scanning requires valid CMS admin credentials to reproduce or detect this vulnerability.
  • ·The CVSS score of 9.8 (PR:N) reflects unauthenticated network access in the base vector, but the actual exploit chain in the PoC template requires authenticated access — defenders should treat this as an authenticated critical finding.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.