CVE-2020-27387

high-risk
Published 2020-11-05

An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.

Do I need to act?

!
70.3% chance of exploitation in next 30 days
EPSS score — higher than 30% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (9)

Horizontcms
Horizontcms
Horizontcms
Horizontcms
Horizontcms
Horizontcms
Horizontcms
Horizontcms
Horizontcms

Affected Vendors

Horizontcms Project

References (8)

Exploit http://packetstormsecurity.com/files/160046/HorizontCMS-1.0.0-beta-Shell-Upload....
Exploit https://blog.vonahi.io/whats-in-a-re-name/
Third Party Advisory https://github.com/rapid7/metasploit-framework/pull/14340
Patch https://github.com/ttimot24/HorizontCMS/commit/436b5ab679fd27afa3d99c023dbe10311...
Exploit http://packetstormsecurity.com/files/160046/HorizontCMS-1.0.0-beta-Shell-Upload....
Exploit https://blog.vonahi.io/whats-in-a-re-name/
Third Party Advisory https://github.com/rapid7/metasploit-framework/pull/14340
Patch https://github.com/ttimot24/HorizontCMS/commit/436b5ab679fd27afa3d99c023dbe10311...
64
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 19/34 · Moderate
Exposure 15/34 · Moderate