CVE-2024-50672
published 2024-11-25CVE-2024-50672: A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.53%
71.5th percentile
A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is used as a query in Mongoose's find() function. This makes it possible for attackers to perform a full takeover of the administrator account. Attackers can then use the newly gained administrative privileges to upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for PUT requests to /api/userpasswordreset/ with a JSON body containing a '$regex' operator in the 'token' field — this is the NoSQL injection pattern used to brute-force password reset tokens. ↗
- →Alert on POST requests to /api/upload/contentplugin uploading a ZIP file containing a 'scripts/postcopy.js' file — this is the RCE delivery mechanism via malicious plugin upload. ↗
- →Detect rapid sequential PUT requests to /api/userpasswordreset/ with incrementally varying regex token values (iterating over '0-9a-f' characters) — indicative of automated token enumeration. ↗
- →Flag unauthenticated POST requests to /api/createtoken for multiple user accounts in rapid succession — the exploit generates reset tokens for all users before brute-forcing. ↗
- →Monitor for plugin uploads (POST /api/upload/contentplugin) immediately followed by a PUT to /api/extensiontype/<id> setting '_isAddedByDefault: true', then a GET to /api/output/adapt/preview/ — this sequence indicates the full RCE exploit chain. ↗
- ·The exploit targets Adapt Authoring Tool version <= 0.11.3 specifically; the NoSQL injection occurs in Mongoose's find() function used in the password reset flow. ↗
- ·The exploit requires an initial valid (non-admin) credential to enumerate users via /api/user before performing the NoSQL injection password reset — pure unauthenticated exploitation is limited to the reset step itself. ↗
- ·The exploit hardcodes the reset password value 'HaXX0r3d!' for all accounts after successful token brute-force; defenders can use this as a canary credential in honeypot accounts. ↗
- ·The exploit uses the plugin name 'adapt-contrib-xapi' for the malicious plugin; if this plugin already exists it is deleted first, then re-uploaded with the malicious postcopy.js payload. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-11-25
Published