exploitDog

CVE-2020-26804

Опубликовано: 12 нояб. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

Ссылки

https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html
Exploit
Third Party Advisory
https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sapplica:sentrifugo:3.2:*:*:*:*:*:*:*

EPSS

Процентиль: 62%

0.00423

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-6jgh-69hg-fvcw

github

больше 3 лет назад

In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

EPSS

Процентиль: 62%

0.00423

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434