PT-2021-10665 · Crmeb · Crmeb

C0D1M4X

Published

2021-06-24

Updated

2021-06-30

CVE-2020-21787

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: CRMEB versions 3.1.0 and later

Description: The issue concerns a File Upload Getshell vulnerability via the /crmeb/crmeb/services/UploadService.php endpoint. This allows for potential exploitation.

Recommendations: For CRMEB versions 3.1.0 and later, as a temporary workaround, consider disabling the file upload functionality in UploadService.php until a patch is available. Restrict access to the /crmeb/crmeb/services/UploadService.php endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2020-21787

Affected Products

Crmeb

PT-2021-10665 · Crmeb · Crmeb

CVE-2020-21787

Weakness Enumeration

Related Identifiers

Affected Products

References · 4