cbcvebase.
CVE-2024-48573
published 2024-10-29

CVE-2024-48573: A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.00%
58.4th percentile
A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
aquila-cmsaquilacms<= 1.409.20

Detection & IOCsextracted from sources · hover to see the quote

url/api/v2/user
url/api/v2/user/resetpassword
url/api/v2/auth/login/admin
url/api/v2/modules/upload
url/api/v2/modules
url/api/v2/modules/toggle
filenameuninit.js
command{"token": {"$ne": null}, "password": "<attacker_password>"}
command{"email": "<prefix>.*"}
  • Detect NoSQL injection in password reset: HTTP POST to /api/v2/user/resetpassword with a JSON body containing a 'token' field using the operator '$ne' (e.g. {"token": {"$ne": null}}) — this is the core injection payload for CVE-2024-48573.
  • Detect email enumeration via NoSQL regex injection: HTTP PUT to /api/v2/user with a JSON body where 'email' is a regex pattern (e.g. {"email": "^a.*"}). Repeated PUT requests with incrementally refined regex patterns are characteristic of this enumeration phase.
  • Detect RCE follow-on: after password reset, watch for POST to /api/v2/modules/upload with a multipart ZIP file upload, followed by POST to /api/v2/modules/toggle with {"active": false} — this triggers execution of the malicious uninit.js inside the uploaded plugin ZIP.
  • Detect malicious plugin ZIP structure: a ZIP archive uploaded to /api/v2/modules/upload containing a file named 'uninit.js' with Node.js child_process exec() calls is indicative of the RCE payload (CVE-2024-48572 chained with CVE-2024-48573).
  • Response body containing 'UserAlreadyExist' code to a PUT /api/v2/user request is being abused as an oracle for email enumeration — alert on high-frequency PUT requests to this endpoint from a single source IP.
  • ·The exploit chains two CVEs: CVE-2024-48573 (NoSQL injection password reset) and CVE-2024-48572 (RCE via malicious plugin upload). Detection rules should account for both the unauthenticated reset phase and the authenticated RCE phase as a combined attack chain.
  • ·The exploit targets AquilaCMS version 1.409.20 and prior. Ensure version-scoped detection or blocking is applied only to affected versions to avoid false positives on patched deployments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.