CVE-2022-34121
Published: 27 July 2022
Summary
CVE-2022-34121 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Cuppacms Cuppacms. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cuppa CMS version 1.0 contains a local file inclusion vulnerability in the component /templates/default/html/windows/right.php. The flaw is tracked as CVE-2022-34121 with a CVSS 3.1 base score of 7.5, reflecting network-accessible exploitation that requires no authentication or user interaction and results in high-impact disclosure of arbitrary files on the server.
An unauthenticated remote attacker can supply a crafted path parameter to the affected endpoint and retrieve sensitive local files, including configuration data or source code that may contain credentials. Public proof-of-concept code demonstrating the issue has been published on GitHub, confirming that the vulnerability can be triggered with a simple HTTP request.
The EPSS score for this CVE rose from a low baseline to a peak of 0.6571 on 2025-01-22 before receding to its current value of 0.2541, indicating a clear increase in observed exploitation interest well after the original 2022 disclosure. No official vendor advisory or patch information appears among the referenced GitHub issues and exploit repositories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-37137
Vulnerability details
Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.
Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.
Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.