Bolt CMS
the jamovi instance running on the target port 3000 had a module, rj editor, installed, which allows users to run R codes.
Through the Rj Editor module, I was able to access a sensitive document that contains CLEARTEXT credentials for 3 users found in the web server on the port 80
the administrative panel for bolt cms is available for access through /bolt
Testing credentials
It went through.
Notice that I logged in as the admin user, but it shows that I am Saul
Version
The version information is available at the left-hand menu.
Bolt 5.1.3
The instance is fairly new and doesn’t seem to have any critical vulnerabilities
RCE?
The thing with Bolt CMS is that RCE can easily be achieved via SSTI through the built-in configuration