Vulnerability Description
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensource-Socialnetwork | Open Source Social Network | <= 5.3 |
Related Weaknesses (CWE)
References
- https://github.com/LucidUnicorn/CVE-2020-10560-Key-RecoveryThird Party Advisory
- https://techanarchy.net/blog/cve-2020-10560-ossn-arbitrary-file-readExploitThird Party Advisory
- https://github.com/LucidUnicorn/CVE-2020-10560-Key-RecoveryThird Party Advisory
- https://techanarchy.net/blog/cve-2020-10560-ossn-arbitrary-file-readExploitThird Party Advisory
FAQ
What is CVE-2020-10560?
CVE-2020-10560 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserve...
How severe is CVE-2020-10560?
CVE-2020-10560 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-10560?
Check the references section above for vendor advisories and patch information. Affected products include: Opensource-Socialnetwork Open Source Social Network.