CVE-2022-25401
Published: 24 February 2022
Summary
CVE-2022-25401 is a high-severity an unspecified weakness vulnerability in Cuppacms Cuppacms. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a path traversal issue in the copy function of the file manager component within Cuppa CMS version 1.0. It permits an attacker to specify an arbitrary source file path that the application will copy into the current working directory, thereby exposing the contents of files that should otherwise be inaccessible.
The flaw is exploitable remotely by unauthenticated attackers over the network, as reflected in its CVSS 3.1 score of 7.5. Successful exploitation grants read access to sensitive files on the server, such as configuration files or source code, without requiring user interaction or elevated privileges.
The associated EPSS score has remained flat at 0.0703 with no material increase after disclosure, indicating limited observed exploitation interest to date. No vendor advisory or patch information is provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30071
Vulnerability details
The copy function of the file manager in Cuppa CMS v1.0 allows any file to be copied to the current directory, granting attackers read access to arbitrary files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.