WARNING! Fake news / Uwaga! Nota nieprawdziwa

Typesetter CMS 5.1 Remote Code Execution

2020.10.07
Risk: High
Local: No
Remote: Yes
CWE: CWE-434

=====[ Tempest Security Intelligence - ADV-09/2020 ]========================== Typesetter CMS Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability Information]============================================= * Class: Unrestricted Upload of File with Dangerous CWE-434 * CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2020-25790 =====[ Overview]======================================================== * System affected : Typesetter - Version 5.1 * Software Version : Version 5.1 * Impact : Typesetter 5.1 is vulnerable to code execution via /index.php/Admin/Uploaded. An attacker can exploit this by upload a zip that contains a malicious php file inside. After extracting the zip file containing the malicious php file, it is possible to execute commands on the target operation system. =====[ Detailed description]================================================= The CMS Typesetter has functionality (web interface) where it is possible through an account with privileges to perform uploads. Through this functionality, it is possible to upload a .zip file that contains a malicious .php file. In the same functionality, there is also the possibility to extract the file through the same web interface, the attacker only needs to extract the .zip that was previously loaded and click on the malicious .php file to execute commands in the operating system. =====[ Timeline of disclosure]=============================================== 18/Sep/2020 - Responsible disclosure was initiated with the vendor. 18/Sep/2020 - Typesetter confirmed the issue; 18/Sep/2019 - The vendor fixed the vulnerability in version 5.2. 19/Sep/2020 - CVE was assigned as CVE-2020-25790 =====[ Thanks & Acknowledgements]======================================== * Tempest Security Intelligence [4] =====[ References ]===================================================== [1][ https://cwe.mitre.org/data/definitions/434.html|https://cwe.mitre.org/data/definitions/434.html] [2][ https://github.com/Typesetter/Typesetter/issues/674|https://github.com/Typesetter/Typesetter/issues/674] [3][ http://www.tempest.com.br|http://www.tempest.com.br/] =====[ EOF ]===========================================================


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top