9.8

CVE-2020-29592

Exploit

EPSS 1.34%
Veröffentlicht 14.04.2021 15:15:13
Zuletzt bearbeitet 21.11.2024 05:24:16
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Orchard before 1.10. A broken access control issue in Orchard components that use the TinyMCE HTML editor's file upload allows an attacker to upload dangerous executables that bypass the file types allowed (regardless of the file types allowed list in Media settings).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Orchardproject ≫ Orchard Version < 1.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.34%	0.782

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://burninatorsec.blogspot.com/2021/04/cve-2020-29592-and-cve-2020-29593.html

Third Party Advisory

Exploit

https://github.com/OrchardCMS/Orchard/releases

Third Party Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2020-29592

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-29592

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-29592

EUVD