cbcvebase.
CVE-2023-37759
published 2023-09-08

CVE-2023-37759: Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.56%
87.9th percentile
Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendylogicscrypto_currency_tracker<= 9.5

Detection & IOCsextracted from sources · hover to see the quote

url/en/user/register
command_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register
  • Detect unauthenticated POST requests to /en/user/register containing the parameter role_id=1, which indicates an attempt to self-register as an Admin account.
  • Flag POST requests to the user registration endpoint where the body includes the 'role_id' parameter — legitimate registration flows should not allow clients to supply a role.
  • ·The exploit targets CCT versions <= 9.5; versions before 9.5 are confirmed vulnerable. Verify the installed version before applying detections to avoid false positives on patched instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.