CVE-2020-21474

Name of the Vulnerable Software and Affected Versions NucleusCMS version 3.71

Description The issue allows a remote attacker to execute arbitrary code. This is achieved via the "https://example.com/nucleus/plugins/skinfiles/?dir=rsd" API endpoint, where the dir parameter is set to rsd.

Recommendations For NucleusCMS version 3.71, consider disabling the file upload functionality until a patch is available. Restrict access to the /nucleus/plugins/skinfiles/ API endpoint to minimize the risk of exploitation. Avoid using the dir parameter in the affected API endpoint until the issue is resolved.