Vulnerability Details CVE-2020-26048
The file manager option in CuppaCMS before 2019-11-12 allows an authenticated attacker to upload a malicious file within an image extension and through a custom request using the rename function provided by the file manager is able to modify the image extension into PHP resulting in remote arbitrary code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.019
EPSS Ranking 82.3%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2020-26048
-
cpe:2.3:a:cuppacms:cuppacms:-
-
cpe:2.3:a:cuppacms:cuppacms:1.0
-
cpe:2.3:a:cuppacms:cuppacms:2016-05-25
-
cpe:2.3:a:cuppacms:cuppacms:2016-05-26
-
cpe:2.3:a:cuppacms:cuppacms:2016-06-09
-
cpe:2.3:a:cuppacms:cuppacms:2016-06-21
-
cpe:2.3:a:cuppacms:cuppacms:2016-06-30
-
cpe:2.3:a:cuppacms:cuppacms:2016-07-21
-
cpe:2.3:a:cuppacms:cuppacms:2016-07-27
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-01
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-03
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-05
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-19
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-22
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-25
-
cpe:2.3:a:cuppacms:cuppacms:2016-08-27
-
cpe:2.3:a:cuppacms:cuppacms:2016-10-04
-
cpe:2.3:a:cuppacms:cuppacms:2016-10-17
-
cpe:2.3:a:cuppacms:cuppacms:2016-11-05
-
cpe:2.3:a:cuppacms:cuppacms:2016-11-29
-
cpe:2.3:a:cuppacms:cuppacms:2016-12-06
-
cpe:2.3:a:cuppacms:cuppacms:2016-12-12
-
cpe:2.3:a:cuppacms:cuppacms:2017-06-08
-
cpe:2.3:a:cuppacms:cuppacms:2017-08-07
-
cpe:2.3:a:cuppacms:cuppacms:2017-10-02
-
cpe:2.3:a:cuppacms:cuppacms:2017-12-16
-
cpe:2.3:a:cuppacms:cuppacms:2018-03-28
-
cpe:2.3:a:cuppacms:cuppacms:2018-04-09
-
cpe:2.3:a:cuppacms:cuppacms:2018-04-24
-
cpe:2.3:a:cuppacms:cuppacms:2018-06-25
-
cpe:2.3:a:cuppacms:cuppacms:2018-09-04
-
cpe:2.3:a:cuppacms:cuppacms:2018-10-09
-
cpe:2.3:a:cuppacms:cuppacms:2018-11-12