Login Sign Up

CVE-2021-3376

8.8 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-3376 is a privilege escalation vulnerability in Cuppa CMS that allows authenticated attackers to elevate their privileges via a crafted POST request. This affects all Cuppa CMS installations before the January 31, 2021 update. Attackers with valid credentials can gain administrative access to the CMS.

💻 Affected Systems

Products:
  • Cuppa CMS
Versions: All versions before January 31, 2021
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the CMS. All default installations are vulnerable.

📦 What is this software?

Cuppacms by Cuppacms

View all CVEs affecting Cuppacms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over the CMS, allowing them to modify content, install malicious plugins, access sensitive data, and potentially compromise the underlying server.

🟠

Likely Case

Authenticated users escalate to administrator privileges, gaining unauthorized access to CMS administrative functions and potentially sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized privilege changes that can be detected and reversed.

🌐 Internet-Facing: HIGH - CMS systems are typically internet-facing, making them accessible to attackers with valid credentials.
🏢 Internal Only: MEDIUM - Internal attackers with CMS credentials could exploit this, but requires initial authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access. The vulnerability is well-documented in public GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions from January 31, 2021 onward

Vendor Advisory: https://github.com/CuppaCMS/CuppaCMS/issues/12

Restart Required: No

Instructions:

1. Update Cuppa CMS to version from January 31, 2021 or later. 2. Download latest version from official repository. 3. Replace existing installation files. 4. Verify user permissions are properly configured.

🔧 Temporary Workarounds

Restrict POST requests to user_group_id_field

all

Implement web application firewall rules to block or monitor POST requests containing the user_group_id_field parameter.

Temporary user permission restrictions

all

Temporarily restrict all non-admin users to read-only access until patching can be completed.

🧯 If You Can't Patch

  • Implement strict access controls and monitor all administrative actions in the CMS
  • Isolate the CMS system from critical network segments and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Cuppa CMS version date. If installation date is before January 31, 2021, it is vulnerable.

Check Version:

Check CMS installation directory for file modification dates or review CMS admin panel version information.

Verify Fix Applied:

Verify CMS files have modification dates of January 31, 2021 or later. Test user permission changes to ensure they cannot be escalated.

📡 Detection & Monitoring

Log Indicators:

  • POST requests containing 'user_group_id_field' parameter
  • Unexpected user privilege changes in CMS logs
  • Multiple failed privilege escalation attempts

Network Indicators:

  • POST requests to CMS admin endpoints with unusual parameters
  • Traffic patterns showing privilege escalation attempts

SIEM Query:

source="cuppa_cms" AND (http_method="POST" AND uri_path="*admin*" AND parameters="*user_group_id_field*")

📊 Metadata

CVE ID: CVE-2021-3376
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: December 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON