CVE-2020-15929

Name of the Vulnerable Software and Affected Versions Ortus TestBox versions 2.4.0 through 4.1.0

Description The issue allows an attacker to write an arbitrary CFM file within the application's context, containing attacker-defined CFML tags, leading to Remote Code Execution. This is achieved by passing unvalidated query string parameters to the system/runners/HTMLRunner.cfm endpoint.

Recommendations For Ortus TestBox versions 2.4.0 through 4.1.0, consider disabling access to the system/runners/HTMLRunner.cfm endpoint until a patch is available. Restrict the ability to write CFM files within the application's context to minimize the risk of exploitation. Avoid using unvalidated query string parameters in the affected endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.