Arbitrary File Upload Vulnerability in bloofoxCMS by bloofox
CVE-2020-35709

4.9MEDIUM

Key Information:

Vendor: Bloofox
Status: Bloofoxcms
Vendor: CVE Published:; 25 December 2020

What is CVE-2020-35709?

The bloofoxCMS version 0.5.2.1 is susceptible to an arbitrary file upload vulnerability, allowing authenticated administrators to upload malicious .php files disguised with the 'Content-Type: application/octet-stream'. This vulnerability enables attackers to exploit the system through the admin tools interface located at ../media/images/, resulting in potential unauthorized access and execution of arbitrary code within the web server.

References

https://github.com/alexlang24/bloofoxCMS/issues/7

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 25, 2020
Vulnerability Reserved
Dec 25, 2020

CVE-2020-35709 Data

JSON

Bloofox

What is CVE-2020-35709?

References

CVSS V3.1

Timeline