Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2020-7246

Disclosure Date: January 21, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users[‘photop_preview’] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This looks just as useful as CVE-2015-3884 for deploying a web shell, and easy to check for exploitability. I’m not sure if this is authenticated though, so it’s unclear if this is useful without some level of additional access. The CVSS score indicates that it does not require additional privileges, so I guess not?

I didn’t find any of these at first glance sitting on the bare internet with Shodan.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • qdpm

Products

  • qdpm
Technical Analysis