CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CVE-2020-14488 (GCVE-0-2020-14488)
Vulnerability from cvelistv5 – Published: 2020-07-29 13:15 – Updated: 2024-09-17 02:06
VLAI
Title
OpenClinic GA
Summary
OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system.
Severity
8.8 (High)
CWE
- CWE-434 - UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open source | OpenClinic GA |
Affected:
5.09.02
Affected: 5.89.05b |
Date Public
2020-07-02 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenClinic GA",
"vendor": "open source",
"versions": [
{
"status": "affected",
"version": "5.09.02"
},
{
"status": "affected",
"version": "5.89.05b"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brian D. Hysell reported these vulnerabilities to CISA."
}
],
"datePublic": "2020-07-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T13:15:21.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01"
}
],
"source": {
"advisory": "ICSMA-20-184-01 OpenClinic GA",
"discovery": "EXTERNAL"
},
"title": "OpenClinic GA",
"workarounds": [
{
"lang": "en",
"value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-07-02T00:00:00.000Z",
"ID": "CVE-2020-14488",
"STATE": "PUBLIC",
"TITLE": "OpenClinic GA"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenClinic GA",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.09.02"
},
{
"version_affected": "=",
"version_value": "5.89.05b"
}
]
}
}
]
},
"vendor_name": "open source"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brian D. Hysell reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01"
}
]
},
"source": {
"advisory": "ICSMA-20-184-01 OpenClinic GA",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-14488",
"datePublished": "2020-07-29T13:15:21.912Z",
"dateReserved": "2020-06-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:04.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15189 (GCVE-0-2020-15189)
Vulnerability from cvelistv5 – Published: 2020-09-18 17:20 – Updated: 2024-08-04 13:08
VLAI
Title
Remote Code Execution in SOY CMS
Summary
SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328.
Severity
6.8 (Medium)
CWE
- CWE-434 - {"CWE-434":"Unrestricted Upload of File with Dangerous Type"}
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/inunosinsi/soycms/security/adv… | x_refsource_CONFIRM |
| https://github.com/inunosinsi/soycms/issues/9 | x_refsource_MISC |
| https://github.com/inunosinsi/soycms/pull/14 | x_refsource_MISC |
| https://github.com/inunosinsi/soycms/pull/14/comm… | x_refsource_MISC |
| https://youtu.be/FWIDFNXmr9g | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| inunosinsi | soycms |
Affected:
< 3.0.2.328
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/FWIDFNXmr9g"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "soycms",
"vendor": "inunosinsi",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.2.328"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "{\"CWE-434\":\"Unrestricted Upload of File with Dangerous Type\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T17:20:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/FWIDFNXmr9g"
}
],
"source": {
"advisory": "GHSA-6r2f-p68g-m433",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in SOY CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15189",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in SOY CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "soycms",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.2.328"
}
]
}
}
]
},
"vendor_name": "inunosinsi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-434\":\"Unrestricted Upload of File with Dangerous Type\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433",
"refsource": "CONFIRM",
"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433"
},
{
"name": "https://github.com/inunosinsi/soycms/issues/9",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/issues/9"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/14",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/14"
},
{
"name": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59",
"refsource": "MISC",
"url": "https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59"
},
{
"name": "https://youtu.be/FWIDFNXmr9g",
"refsource": "MISC",
"url": "https://youtu.be/FWIDFNXmr9g"
}
]
},
"source": {
"advisory": "GHSA-6r2f-p68g-m433",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15189",
"datePublished": "2020-09-18T17:20:16.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15277 (GCVE-0-2020-15277)
Vulnerability from cvelistv5 – Published: 2020-10-30 17:30 – Updated: 2024-08-04 13:15
VLAI
Title
Remote Code Execution in baserCMS
Summary
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
Severity
7.2 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/baserproject/basercms/security… | x_refsource_CONFIRM |
| https://basercms.net/security/20201029 | x_refsource_MISC |
| https://github.com/baserproject/basercms/commit/b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| baserproject | basercms |
Affected:
>= 4.0.0, < 4.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:19.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6fmv-q269-55cw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://basercms.net/security/20201029"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/baserproject/basercms/commit/bb027c3967b0430adcff2d2fedbc23d39077563b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "basercms",
"vendor": "baserproject",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-30T17:30:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6fmv-q269-55cw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://basercms.net/security/20201029"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/baserproject/basercms/commit/bb027c3967b0430adcff2d2fedbc23d39077563b"
}
],
"source": {
"advisory": "GHSA-6fmv-q269-55cw",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in baserCMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15277",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in baserCMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "basercms",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c 4.4.1"
}
]
}
}
]
},
"vendor_name": "baserproject"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/baserproject/basercms/security/advisories/GHSA-6fmv-q269-55cw",
"refsource": "CONFIRM",
"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6fmv-q269-55cw"
},
{
"name": "https://basercms.net/security/20201029",
"refsource": "MISC",
"url": "https://basercms.net/security/20201029"
},
{
"name": "https://github.com/baserproject/basercms/commit/bb027c3967b0430adcff2d2fedbc23d39077563b",
"refsource": "MISC",
"url": "https://github.com/baserproject/basercms/commit/bb027c3967b0430adcff2d2fedbc23d39077563b"
}
]
},
"source": {
"advisory": "GHSA-6fmv-q269-55cw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15277",
"datePublished": "2020-10-30T17:30:16.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:15:19.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15645 (GCVE-0-2020-15645)
Vulnerability from cvelistv5 – Published: 2020-08-25 20:21 – Updated: 2024-08-04 13:22
VLAI
Summary
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getFileFromURL method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10553.
Severity
8.8 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.marvell.com/content/dam/marvell/en/pu… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.tenable.com/security/research/tra-2020-56 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Marvell | QConvergeConsole |
Affected:
5.5.0.64
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-973/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2020-56"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QConvergeConsole",
"vendor": "Marvell",
"versions": [
{
"status": "affected",
"version": "5.5.0.64"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "rgod"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getFileFromURL method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10553."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T14:06:12.000Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-973/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2020-56"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2020-15645",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QConvergeConsole",
"version": {
"version_data": [
{
"version_value": "5.5.0.64"
}
]
}
}
]
},
"vendor_name": "Marvell"
}
]
}
},
"credit": "rgod",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getFileFromURL method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10553."
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdf",
"refsource": "MISC",
"url": "https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdf"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-973/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-973/"
},
{
"name": "https://www.tenable.com/security/research/tra-2020-56",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2020-56"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2020-15645",
"datePublished": "2020-08-25T20:21:27.000Z",
"dateReserved": "2020-07-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:22:30.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24407 (GCVE-0-2020-24407)
Vulnerability from cvelistv5 – Published: 2020-11-09 00:39 – Updated: 2024-09-16 20:16
VLAI
Title
Arbitrary code execution via file import functionality
Summary
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
Severity
9.1 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type (CWE-434)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.0
(custom)
Affected: unspecified , ≤ 2.3.5p1 (custom) Affected: unspecified , ≤ None (custom) |
Date Public
2020-10-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.5p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-10-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type (CWE-434)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T00:39:56.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary code execution via file import functionality",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2020-10-15T23:00:00.000Z",
"ID": "CVE-2020-24407",
"STATE": "PUBLIC",
"TITLE": "Arbitrary code execution via file import functionality"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.0"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.5p1"
},
{
"version_affected": "\u003c=",
"version_value": "None"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unrestricted Upload of File with Dangerous Type (CWE-434)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb20-59.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2020-24407",
"datePublished": "2020-11-09T00:39:56.269Z",
"dateReserved": "2020-08-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:16:25.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26252 (GCVE-0-2020-26252)
Vulnerability from cvelistv5 – Published: 2021-01-20 21:55 – Updated: 2024-08-04 15:56
VLAI
Title
Layout XML RCE Vulnerability in OpenMage
Summary
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml. The latest OpenMage Versions up from 19.4.10 and 20.0.6 have this issue solved.
Severity
8.7 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/OpenMage/magento-lts/security/… | x_refsource_CONFIRM |
| https://github.com/OpenMage/magento-lts/commit/07… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenMage | magento-lts |
Affected:
< 19.4.10
Affected: >= 20, < 20.0.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.990Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da3714c533c3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "magento-lts",
"vendor": "OpenMage",
"versions": [
{
"status": "affected",
"version": "\u003c 19.4.10"
},
{
"status": "affected",
"version": "\u003e= 20, \u003c 20.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml. The latest OpenMage Versions up from 19.4.10 and 20.0.6 have this issue solved."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T21:55:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da3714c533c3"
}
],
"source": {
"advisory": "GHSA-99m6-r53j-4hh2",
"discovery": "UNKNOWN"
},
"title": "Layout XML RCE Vulnerability in OpenMage",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26252",
"STATE": "PUBLIC",
"TITLE": "Layout XML RCE Vulnerability in OpenMage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "magento-lts",
"version": {
"version_data": [
{
"version_value": "\u003c 19.4.10"
},
{
"version_value": "\u003e= 20, \u003c 20.0.6"
}
]
}
}
]
},
"vendor_name": "OpenMage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml. The latest OpenMage Versions up from 19.4.10 and 20.0.6 have this issue solved."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2",
"refsource": "CONFIRM",
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-99m6-r53j-4hh2"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da3714c533c3",
"refsource": "MISC",
"url": "https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da3714c533c3"
}
]
},
"source": {
"advisory": "GHSA-99m6-r53j-4hh2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26252",
"datePublished": "2021-01-20T21:55:13.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26255 (GCVE-0-2020-26255)
Vulnerability from cvelistv5 – Published: 2020-12-08 14:45 – Updated: 2024-08-04 15:56
VLAI
Title
PHP Phar archives could be uploaded and executed in Kirby
Summary
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14.
Severity
6.8 (Medium)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://packagist.org/packages/getkirby/cms | x_refsource_MISC |
| https://packagist.org/packages/getkirby/panel | x_refsource_MISC |
| https://github.com/getkirby/kirby/security/adviso… | x_refsource_CONFIRM |
| https://github.com/getkirby/kirby/releases/tag/3.4.5 | x_refsource_MISC |
| https://github.com/getkirby/kirby/commit/db8f371b… | x_refsource_MISC |
| https://github.com/getkirby-v2/panel/commit/5a569… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.743Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packagist.org/packages/getkirby/cms"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packagist.org/packages/getkirby/panel"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.4.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kirby",
"vendor": "getkirby",
"versions": [
{
"status": "affected",
"version": "\u003c 3.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-08T14:45:20.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packagist.org/packages/getkirby/cms"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packagist.org/packages/getkirby/panel"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/3.4.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881"
}
],
"source": {
"advisory": "GHSA-g3h8-cg9x-47qw",
"discovery": "UNKNOWN"
},
"title": "PHP Phar archives could be uploaded and executed in Kirby",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26255",
"STATE": "PUBLIC",
"TITLE": "PHP Phar archives could be uploaded and executed in Kirby"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kirby",
"version": {
"version_data": [
{
"version_value": "\u003c 3.4.5"
}
]
}
}
]
},
"vendor_name": "getkirby"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packagist.org/packages/getkirby/cms",
"refsource": "MISC",
"url": "https://packagist.org/packages/getkirby/cms"
},
{
"name": "https://packagist.org/packages/getkirby/panel",
"refsource": "MISC",
"url": "https://packagist.org/packages/getkirby/panel"
},
{
"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw",
"refsource": "CONFIRM",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/3.4.5",
"refsource": "MISC",
"url": "https://github.com/getkirby/kirby/releases/tag/3.4.5"
},
{
"name": "https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09",
"refsource": "MISC",
"url": "https://github.com/getkirby/kirby/commit/db8f371b13036861c9cc5ba3e85e27f73fce5e09"
},
{
"name": "https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881",
"refsource": "MISC",
"url": "https://github.com/getkirby-v2/panel/commit/5a569d4e3ddaea2b6628d7ec1472a3e8bc410881"
}
]
},
"source": {
"advisory": "GHSA-g3h8-cg9x-47qw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26255",
"datePublished": "2020-12-08T14:45:20.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26285 (GCVE-0-2020-26285)
Vulnerability from cvelistv5 – Published: 2021-01-21 13:30 – Updated: 2024-08-04 15:56
VLAI
Title
Widget instances allows a hacker to inject an executable file on the server on OpenMage
Summary
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an executable file on the server. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved
Severity
8.7 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/OpenMage/magento-lts/security/… | x_refsource_CONFIRM |
| https://github.com/OpenMage/magento-lts/commit/41… | x_refsource_MISC |
| https://github.com/OpenMage/magento-lts/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenMage | magento-lts |
Affected:
< 19.4.10
Affected: >= 20.0.0, < 20.0.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.104Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56d2297586"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "magento-lts",
"vendor": "OpenMage",
"versions": [
{
"status": "affected",
"version": "\u003c 19.4.10"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c 20.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an executable file on the server. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T13:30:17.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56d2297586"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10"
}
],
"source": {
"advisory": "GHSA-hj6w-xrv3-wjj9",
"discovery": "UNKNOWN"
},
"title": "Widget instances allows a hacker to inject an executable file on the server on OpenMage",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26285",
"STATE": "PUBLIC",
"TITLE": "Widget instances allows a hacker to inject an executable file on the server on OpenMage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "magento-lts",
"version": {
"version_data": [
{
"version_value": "\u003c 19.4.10"
},
{
"version_value": "\u003e= 20.0.0, \u003c 20.0.5"
}
]
}
}
]
},
"vendor_name": "OpenMage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an executable file on the server. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9",
"refsource": "CONFIRM",
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-hj6w-xrv3-wjj9"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56d2297586",
"refsource": "MISC",
"url": "https://github.com/OpenMage/magento-lts/commit/4132668f5009f17456fe644742026f56d2297586"
},
{
"name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10",
"refsource": "MISC",
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10"
}
]
},
"source": {
"advisory": "GHSA-hj6w-xrv3-wjj9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26285",
"datePublished": "2021-01-21T13:30:17.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:04.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26286 (GCVE-0-2020-26286)
Vulnerability from cvelistv5 – Published: 2020-12-28 23:25 – Updated: 2024-08-04 15:56
VLAI
Title
Arbitary file upload
Summary
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it's possible to block the `/uploadimage` endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage.
Severity
7.5 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/hedgedoc/hedgedoc/security/adv… | x_refsource_CONFIRM |
| https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1 | x_refsource_MISC |
| https://github.com/hedgedoc/hedgedoc/commit/e9306… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hedgedoc/hedgedoc/commit/e9306991cdb5ff2752c1eeba3fedba42aec3c2d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hedgedoc",
"vendor": "hedgedoc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it\u0027s possible to block the `/uploadimage` endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-28T23:25:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hedgedoc/hedgedoc/commit/e9306991cdb5ff2752c1eeba3fedba42aec3c2d8"
}
],
"source": {
"advisory": "GHSA-wcr3-xhv7-8gxc",
"discovery": "UNKNOWN"
},
"title": "Arbitary file upload",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26286",
"STATE": "PUBLIC",
"TITLE": "Arbitary file upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hedgedoc",
"version": {
"version_data": [
{
"version_value": "\u003c 1.7.1"
}
]
}
}
]
},
"vendor_name": "hedgedoc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it\u0027s possible to block the `/uploadimage` endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc",
"refsource": "CONFIRM",
"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc"
},
{
"name": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1",
"refsource": "MISC",
"url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1"
},
{
"name": "https://github.com/hedgedoc/hedgedoc/commit/e9306991cdb5ff2752c1eeba3fedba42aec3c2d8",
"refsource": "MISC",
"url": "https://github.com/hedgedoc/hedgedoc/commit/e9306991cdb5ff2752c1eeba3fedba42aec3c2d8"
}
]
},
"source": {
"advisory": "GHSA-wcr3-xhv7-8gxc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26286",
"datePublished": "2020-12-28T23:25:13.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:04.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26295 (GCVE-0-2020-26295)
Vulnerability from cvelistv5 – Published: 2021-01-21 13:40 – Updated: 2024-08-04 15:56
VLAI
Title
CMS Editor code execution
Summary
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved
Severity
8.7 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/OpenMage/magento-lts/releases/… | x_refsource_MISC |
| https://github.com/OpenMage/magento-lts/security/… | x_refsource_CONFIRM |
| https://github.com/OpenMage/magento-lts/commit/9c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenMage | magento-lts |
Affected:
< 19.4.10
Affected: >= 20.0.0, < 20.0.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "magento-lts",
"vendor": "OpenMage",
"versions": [
{
"status": "affected",
"version": "\u003c 19.4.10"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c 20.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T13:40:19.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35"
}
],
"source": {
"advisory": "GHSA-52c6-6v3v-f3fg",
"discovery": "UNKNOWN"
},
"title": "CMS Editor code execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26295",
"STATE": "PUBLIC",
"TITLE": "CMS Editor code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "magento-lts",
"version": {
"version_data": [
{
"version_value": "\u003c 19.4.10"
},
{
"version_value": "\u003e= 20.0.0, \u003c 20.0.6"
}
]
}
}
]
},
"vendor_name": "OpenMage"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and 20.0.5 have this Issue solved"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10",
"refsource": "MISC",
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.4.10"
},
{
"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg",
"refsource": "CONFIRM",
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-52c6-6v3v-f3fg"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35",
"refsource": "MISC",
"url": "https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35"
}
]
},
"source": {
"advisory": "GHSA-52c6-6v3v-f3fg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26295",
"datePublished": "2021-01-21T13:40:19.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
Mitigation ID: MIT-21
Phase: Architecture and Design
Strategy: Enforcement by Conversion
Description:
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Mitigation
Phase: Architecture and Design
Description:
- Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
Mitigation
Phase: Architecture and Design
Description:
- Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
Mitigation
Phase: Implementation
Strategy: Input Validation
Description:
- Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]
Mitigation
Phase: Implementation
Description:
- When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.
Mitigation ID: MIT-15
Phase: Architecture and Design
Description:
- For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
Phase: Implementation
Description:
- Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.
Mitigation
Phase: Implementation
Description:
- Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation ID: MIT-22
Phases: Architecture and Design, Operation
Strategy: Sandbox or Jail
Description:
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.