CVE-2022-37191

Name of the Vulnerable Software and Affected Versions CuppaCMS version 1.0

Description The issue allows an authenticated user to read system files via a crafted POST request. This is achieved by using the function parameter value as a Local File Inclusion (LFI) payload in the "cuppa/api/index.php" component. LFI is a type of vulnerability that enables an attacker to include or execute files on a server, potentially leading to sensitive data exposure or code execution.

Recommendations For CuppaCMS version 1.0, as a temporary workaround, consider restricting access to the "cuppa/api/index.php" component or disabling the use of the function parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.