CVE-2024-48573
published 2024-10-29CVE-2024-48573: A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.00%
58.4th percentile
A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aquila-cms | aquilacms | <= 1.409.20 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect NoSQL injection in password reset: HTTP POST to /api/v2/user/resetpassword with a JSON body containing a 'token' field using the operator '$ne' (e.g. {"token": {"$ne": null}}) — this is the core injection payload for CVE-2024-48573. ↗
- →Detect email enumeration via NoSQL regex injection: HTTP PUT to /api/v2/user with a JSON body where 'email' is a regex pattern (e.g. {"email": "^a.*"}). Repeated PUT requests with incrementally refined regex patterns are characteristic of this enumeration phase. ↗
- →Detect RCE follow-on: after password reset, watch for POST to /api/v2/modules/upload with a multipart ZIP file upload, followed by POST to /api/v2/modules/toggle with {"active": false} — this triggers execution of the malicious uninit.js inside the uploaded plugin ZIP. ↗
- →Detect malicious plugin ZIP structure: a ZIP archive uploaded to /api/v2/modules/upload containing a file named 'uninit.js' with Node.js child_process exec() calls is indicative of the RCE payload (CVE-2024-48572 chained with CVE-2024-48573). ↗
- →Response body containing 'UserAlreadyExist' code to a PUT /api/v2/user request is being abused as an oracle for email enumeration — alert on high-frequency PUT requests to this endpoint from a single source IP. ↗
- ·The exploit chains two CVEs: CVE-2024-48573 (NoSQL injection password reset) and CVE-2024-48572 (RCE via malicious plugin upload). Detection rules should account for both the unauthenticated reset phase and the authenticated RCE phase as a combined attack chain. ↗
- ·The exploit targets AquilaCMS version 1.409.20 and prior. Ensure version-scoped detection or blocking is applied only to affected versions to avoid false positives on patched deployments. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-10-29
Published