CVE-2020-11807 — HIGH (7.8)

Vulnerability Description

Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by making an avatar update and then visiting the avatar file under the /images/ path.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sourcefabric	Newscoop	4.4.7

Related Weaknesses (CWE)

CWE-434

References

https://gist.github.com/V-Rico/82e9e52ac451dc20eef87b0999b3b1eeExploitThird Party Advisory
https://github.com/sourcefabric/Newscoop/blob/3df835637609a5a42530b2a4611177c634PatchThird Party Advisory
https://gist.github.com/V-Rico/82e9e52ac451dc20eef87b0999b3b1eeExploitThird Party Advisory
https://github.com/sourcefabric/Newscoop/blob/3df835637609a5a42530b2a4611177c634PatchThird Party Advisory

FAQ

What is CVE-2020-11807?

CVE-2020-11807 is a vulnerability with a CVSS score of 7.8 (HIGH). Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by ...

How severe is CVE-2020-11807?

CVE-2020-11807 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-11807?

Check the references section above for vendor advisories and patch information. Affected products include: Sourcefabric Newscoop.