cbcvebase.
CVE-2024-50672
published 2024-11-25

CVE-2024-50672: A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.53%
71.5th percentile
A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is used as a query in Mongoose's find() function. This makes it possible for attackers to perform a full takeover of the administrator account. Attackers can then use the newly gained administrative privileges to upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application.

Detection & IOCsextracted from sources · hover to see the quote

url/api/login
url/api/createtoken
url/api/userpasswordreset/w00tw00t
url/api/upload/contentplugin
url/api/output/adapt/preview/{course_id}
url/api/user
filenameadapt-contrib-xapi.zip
filenamescripts/postcopy.js
other{"token": {"$regex": "^<prefix>"}, "password": "HaXX0r3d!"}
  • Monitor for PUT requests to /api/userpasswordreset/ with a JSON body containing a '$regex' operator in the 'token' field — this is the NoSQL injection pattern used to brute-force password reset tokens.
  • Alert on POST requests to /api/upload/contentplugin uploading a ZIP file containing a 'scripts/postcopy.js' file — this is the RCE delivery mechanism via malicious plugin upload.
  • Detect rapid sequential PUT requests to /api/userpasswordreset/ with incrementally varying regex token values (iterating over '0-9a-f' characters) — indicative of automated token enumeration.
  • Flag unauthenticated POST requests to /api/createtoken for multiple user accounts in rapid succession — the exploit generates reset tokens for all users before brute-forcing.
  • Monitor for plugin uploads (POST /api/upload/contentplugin) immediately followed by a PUT to /api/extensiontype/<id> setting '_isAddedByDefault: true', then a GET to /api/output/adapt/preview/ — this sequence indicates the full RCE exploit chain.
  • ·The exploit targets Adapt Authoring Tool version <= 0.11.3 specifically; the NoSQL injection occurs in Mongoose's find() function used in the password reset flow.
  • ·The exploit requires an initial valid (non-admin) credential to enumerate users via /api/user before performing the NoSQL injection password reset — pure unauthenticated exploitation is limited to the reset step itself.
  • ·The exploit hardcodes the reset password value 'HaXX0r3d!' for all accounts after successful token brute-force; defenders can use this as a canary credential in honeypot accounts.
  • ·The exploit uses the plugin name 'adapt-contrib-xapi' for the malicious plugin; if this plugin already exists it is deleted first, then re-uploaded with the malicious postcopy.js payload.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.