CVE-2020-10963

HIGH

FrozenNode Laravel-Administrator <5.0.12 - RCE

Title source: llm

Description

FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.

Exploits (2)

exploitdb WORKING POC
by Xavi Beltran · pythonwebappsphp
https://www.exploit-db.com/exploits/49112
nomisec WORKING POC
by scopion · poc
https://github.com/scopion/CVE-2020-10963

References (2)

Scores

CVSS v3 7.2
EPSS 0.2242
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (2)
frozennode/administrator 0Packagist
frozennode/laravel-administrator < 5.0.12
Published Mar 25, 2020
Tracked Since Feb 18, 2026