CVE-2021-36582

CRITICAL

Kooboo CMS 2.1.1.0 - Command Injection

Title source: llm

Description

In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx) to the server and then call upon it to receive a reverse shell from the victim server. The files are uploaded to /Content/Template/root/reverse-shell.aspx and can be simply triggered by browsing that URL.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

http://kooboo.com

Third Party Advisory x_refsource_misc

https://github.com/l00neyhacker/CVE-2021-36582

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0058

EPSS Percentile 69.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

kooboo/kooboo_cms 2.1.1.0

Published Sep 14, 2021

Tracked Since Feb 18, 2026