Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
MyExploits/Multiple_LFIs_in_CuppaCMS_alerts/
MyExploits/Multiple_LFIs_in_CuppaCMS_alerts/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

Multiple Local File Inclusion vulnerabilities in CuppaCMS alerts

Vulnerability disclosed:

CuppaCMS's latest github commit and before (no version numbers) suffers from multiple Local File Inclusion vulnerabilities.

  • Script '/alerts/alertConfigField.php' has parameter $_POST['urlConfig'] that is not sanitised properly. Publicly available exploit already exists from the past, but vendor did not patch this vulnerability correctly. $_REQUEST['urlConfig'] was changed to $_POST['urlConfig'], meaning application is still vulnerable, through POST request.

  • Script '/alerts/alertLightbox.php' has parameter $_POST['url'] that is passed to 'include' function, without sanitization. Attacker can use these two vulnerabilities to include arbitrary system files on the server.

PoC:

image

Author: Mateo Hanžek

Reference: CuppaCMS/CuppaCMS#15

CVEs Assigned: CVE-2022-25485, CVE-2022-25486