CVE-2020-27386

Name of the Vulnerable Software and Affected Versions FlexDotnetCMS versions prior to 1.5.9

Description The issue allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code in the form of a safe file type and then renaming the file to an executable extension using the FileEditor or the FileManager's rename function. The attacker can then execute the file via an HTTP GET request to the file's path.

Recommendations For versions prior to 1.5.9, update to version 1.5.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the FileManager and FileEditor to minimize the risk of exploitation. Avoid using the rename function in the FileManager to prevent malicious file uploads.