cbcvebase.
CVE-2024-44871
published 2024-09-10

CVE-2024-44871: An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
16.25%
96.5th percentile
An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file.

Affected

1 ranges
VendorProductVersion rangeFixed in
mozilomozilocms

Detection & IOCsextracted from sources · hover to see the quote

path/admin/index.php
path/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
filenamerevshell.jpg
filenamerevshell.php
commandcurl http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php?0=whoami
  • Detect POST requests to /admin/index.php with body parameter changeart=file_rename where newfile value ends in .php and orgfile value ends in .jpg, indicating extension-change bypass of upload restrictions.
  • Monitor GET requests to paths matching /kategorien/*/dateien/*.php, which indicates access to a renamed/uploaded webshell in the MoziloCMS file storage directory.
  • Detect the presence of the MOZILOID_* cookie pattern in HTTP requests combined with file upload or rename actions to /admin/index.php as an indicator of authenticated exploitation attempts.
  • Webshell command execution is triggered via query parameter ?0=<command> (e.g., ?0=whoami); detect GET requests to .php files under the CMS upload path with numeric query parameters.
  • ·Exploitation requires prior authentication as an admin user; this is not an unauthenticated vulnerability. Detection rules should account for valid admin session cookies being present.
  • ·The two-step attack (upload as .jpg, then rename to .php) means a single-request detection will miss the full exploit chain; both the upload POST and the rename POST must be correlated.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.