Vulnerability CVE-2020-25790


Published: 2020-09-19   Modified: 2020-09-20

Description:
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2.

See advisories in our WLB2 database:
Topic
Author
Date
High
Typesetter CMS 5.1 Remote Code Execution
Rodolfo Tavares
07.10.2020

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

 References:
https://github.com/Typesetter/Typesetter/issues/674

Copyright 2021, cxsecurity.com

 

Back to Top