CVE-2020-13443

ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least).

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://expressionengine.com/blog	Vendor Advisory
https://gist.github.com/mariuszpoplwski/51604d8a6d7d78fffdf590c25e844e09	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-06-24 15:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-13443

Mitre link : CVE-2020-13443

CVE.ORG link : CVE-2020-13443

JSON object : View

Products Affected

expressionengine

expressionengine

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2020-13443", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-06-24T15:15:11.617", "references": [{"url": "https://expressionengine.com/blog", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/mariuszpoplwski/51604d8a6d7d78fffdf590c25e844e09", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least)."}, {"lang": "es", "value": "ExpressionEngine versiones anteriores a 5.3.2, permite a atacantes remotos cargar y ejecutar c\u00f3digo arbitrario en un archivo .php%20 por medio de las acciones Componer Msg, Add attachment y Save As Draft. Un usuario con pocos privilegios (miembro) es capaz de cargar esto. Es posible omitir la comprobaci\u00f3n del tipo MIME y la comprobaci\u00f3n de extensi\u00f3n de archivo al cargar nuevos archivos. Los seud\u00f3nimos cortos no se usan para un archivo adjunto; en cambio, se permite el acceso directo a los archivos cargados. Es posible cargar PHP solo si uno tiene acceso de miembro, o registration/forum est\u00e1 habilitado y uno puede crear un miembro con el ID de grupo predeterminado de 5. Para explotar esto, uno debe ser capaz de enviar y redactar mensajes (al menos)"}], "lastModified": "2020-07-02T18:37:07.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEC89331-D8D0-4AC1-822A-0CB8E2808E4A", "versionEndExcluding": "5.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}