PT-2021-3489 · Machform · Machform

Published

2021-06-28

Updated

2021-07-02

CVE-2021-20104

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Machform versions prior to 16

Description The issue is related to insufficient sanitization of file attachments uploaded with forms through the upload.php endpoint. This allows for unauthenticated remote code execution. The vulnerability is associated with a lack of restrictions on file uploads in the Machform form creation editor. Exploitation of the vulnerability can enable a remote attacker to execute arbitrary code.

Recommendations For versions prior to 16, update to version 16 or later to resolve the issue. As a temporary workaround, consider restricting access to the upload.php endpoint to minimize the risk of exploitation.

Exploit

Fix

Memory Leak

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-401CWE-434

Related Identifiers

BDU:2021-03519

CVE-2021-20104

Affected Products

Machform

PT-2021-3489 · Machform · Machform

CVE-2021-20104

Weakness Enumeration

Related Identifiers

Affected Products

References · 7