CVE-2022-28117

MEDIUM NUCLEI

Naviwebs Navigate Cms - SSRF

Title source: rule

Description

A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.

Exploits (3)

exploitdb WORKING POC

by cheshireca7 · pythonwebappsphp

https://www.exploit-db.com/exploits/50921

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by cheshireca7 · poc

https://github.com/cheshireca7/CVE-2022-28117

View Code ZIP pw:eip

nomisec WORKING POC

by kimstars · poc

https://github.com/kimstars/POC-CVE-2022-28117

View Code ZIP pw:eip

Nuclei Templates (1)

Navigate CMS 2.9.4 - Server-Side Request Forgery

MEDIUMVERIFIEDby theabhinavgaur

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/167063/Navigate-CMS-2.9.4-Server-Side-Request-Forgery.html

[Release Notes, Vendor Advisory] https://www.navigatecms.com/en/blog/development/navigate_cms_update_2_9_5

[Exploit, Third Party Advisory] https://www.youtube.com/watch?v=4kHW95CMfD0

Scores

CVSS v3 4.9

EPSS 0.6713

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-918

Status published

Products (1)

naviwebs/navigate_cms 2.9.4

Published Apr 28, 2022

Tracked Since Feb 18, 2026