CVE-2020-27386

high-risk
Published 2020-11-12

An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form of a safe file type (e.g., a TXT file), and then using the FileEditor (in v1.5.8 and prior) or the FileManager's rename function (in v1.5.7 and prior) to rename the file to an executable extension (e.g., ASP), and finally executing the file via an HTTP GET request to /<path_to_file>.

Do I need to act?

!
77.9% chance of exploitation in next 30 days
EPSS score — higher than 22% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Flexdotnetcms Project

References (8)

Third Party Advisory http://packetstormsecurity.com/files/160411/FlexDotnetCMS-1.5.8-Arbitrary-ASP-Fi...
Exploit https://blog.vonahi.io/whats-in-a-re-name/
Release Notes https://github.com/MacdonaldRobinson/FlexDotnetCMS/releases/tag/v1.5.9
Exploit https://github.com/rapid7/metasploit-framework/pull/14339
Third Party Advisory http://packetstormsecurity.com/files/160411/FlexDotnetCMS-1.5.8-Arbitrary-ASP-Fi...
Exploit https://blog.vonahi.io/whats-in-a-re-name/
Release Notes https://github.com/MacdonaldRobinson/FlexDotnetCMS/releases/tag/v1.5.9
Exploit https://github.com/rapid7/metasploit-framework/pull/14339
55
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal