Westboy CicadasCMS Command Injection Vulnerability in Scheduled Task Handler
Vulnerability
A critical vulnerability allowing OS command injection has been identified in Westboy CicadasCMS version 2.0. The issue arises in the Scheduled Task Handler component, specifically within the file '/system/schedule/save'. This vulnerability can be exploited remotely, and the details have been publicly disclosed along with an available exploit.
Impact
Exploitation of this vulnerability leads to remote code execution on the server where CicadasCMS is hosted.
Reproduction
To reproduce this vulnerability, a scheduled task can be created by sending a POST request to '/system/schedule/save'. The request must include a 'springBean' field with the value 'dataSourceConfiguration', a 'methodName' field set to 'dataSource', and a 'cronExpression' that specifies when the task should run. After the task is added, it can be executed, which will trigger the command injection vulnerability. The injection can be verified by checking if the 'dataSource' method of the 'dataSourceConfiguration' bean has been manipulated, indicating successful exploitation.
Remediation
It is recommended to implement a blacklist and whitelist for execution types in scheduled tasks to prevent such vulnerabilities.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.