CVE-2020-25042

Name of the Vulnerable Software and Affected Versions Mara CMS version 7.5

Description An issue exists that allows arbitrary file upload. To exploit this, an attacker needs a valid authenticated session and must make a "codebase/dir.php?type=filenew" request to upload PHP code to "codebase/handler.php".

Recommendations For Mara CMS version 7.5, consider restricting access to the "codebase/dir.php" endpoint to prevent unauthorized file uploads until a patch is available. As a temporary workaround, restrict the type parameter in the "codebase/dir.php" endpoint to prevent setting it to "filenew" and uploading malicious PHP code.