CVE-2020-13443

ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least).
References
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*

Information

Published : 2020-06-24 08:15

Updated : 2020-07-02 11:37


NVD link : CVE-2020-13443

Mitre link : CVE-2020-13443


JSON object : View

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type

Advertisement

dedicated server usa

Products Affected

expressionengine

  • expressionengine