Multiple Local File Inclusion vulnerabilities in CuppaCMS alerts
Vulnerability disclosed:
CuppaCMS's latest github commit and before (no version numbers) suffers from multiple Local File Inclusion vulnerabilities.
-
Script '/alerts/alertConfigField.php' has parameter $_POST['urlConfig'] that is not sanitised properly. Publicly available exploit already exists from the past, but vendor did not patch this vulnerability correctly. $_REQUEST['urlConfig'] was changed to $_POST['urlConfig'], meaning application is still vulnerable, through POST request.
-
Script '/alerts/alertLightbox.php' has parameter $_POST['url'] that is passed to 'include' function, without sanitization. Attacker can use these two vulnerabilities to include arbitrary system files on the server.
PoC:
Author: Mateo Hanžek
Reference: CuppaCMS/CuppaCMS#15
CVEs Assigned: CVE-2022-25485, CVE-2022-25486
