CVE-2021–40290

In this blog post, I’ll share the recent vulnerability I found in a CMS, how I found it and a POC exploit.

I should stress before we get into the nitty-gritty, this is my first CVE. It’s not super technical, it’s not going to turn any heads, but seeing as it’s my first one, I’m pretty pleased I found something, even if that ‘something’ is little.

Whilst designing an online lab playground for <company name redacted>, I came to the realisation that I needed an insecure web application for the lab participants to interact with. I downloaded a few open source projects, but my search for a vulnerable application was fruitless; I specifically wanted a user-login bypass vulnerability. After some more searching, I came across this CMS, Dental Clinic Appointment Reservation System. I saw that it already had an exploit for bypassing the admin login, and wanted to dive a little deeper into how it authenticates a regular user login. I downloaded the source code and took a look under the hood.

The vulnerability

With CMS applications, the first thing I tend to look for is lack of input sanitisation. This is where an application takes user input, for example, username or/and password, and passes it to the database for validation during authentication. This was indeed present in the aforementioned admin bypass: