Disclosure Date 2020/10/19

CVE-2020-5640

Unauthenticated LFI to RCE in OneThird CMS

OneThird CMSのローカルファイルインクルージョンによるリモートコード実行

Credit

stypr (@stereotype32)

Affected-Versions

1.96c and earlier

CWE

CWE-98

Description

Local file inclusion vulnerability in OneThird CMS v1.96c and earlier allows a remote unauthenticated attacker to execute arbitrary code via undisclosed file upload feature. The attacker can also use this vulnerability to obtain arbitrary files and sensitive information such as database.

Back