Arbitrary File Upload Vulnerability in Mara CMS by Mara Studio
CVE-2020-25042

7.2HIGH

Key Information:

Vendor

Maracms

Status
Maracms
Vendor
CVE Published:
3 September 2020

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 77%

What is CVE-2020-25042?

An arbitrary file upload vulnerability exists in Mara CMS version 7.5 that allows an authenticated attacker to upload malicious PHP scripts. This can be exploited by sending a request to codebase/dir.php?type=filenew while in a valid admin or manager session. Once the malicious file is uploaded, it can be executed to compromise the integrity and confidentiality of the system, making it crucial for users of this CMS to apply necessary security measures.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-25042 - Proof of Concept

CVE-2020-25042-PoC
Created by Groppoxx

References

https://sourceforge.net/projects/maracms/
x_refsource_MISC
https://www.exploit-db.com/exploits/48780
x_refsource_MISC
http://packetstormsecurity.com/files/159304/MaraCMS-7.5-R...
x_refsource_MISC

EPSS Score

77% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.