CVE-2020-11699

HIGH

Titanhq Spamtitan - OS Command Injection

Title source: rule

Description

An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page.

Exploits (1)

exploitdb WORKING POC

pythonwebappsmultiple

https://www.exploit-db.com/exploits/48817

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html

[Third Party Advisory] https://github.com/felmoltor

[Exploit, Third Party Advisory] https://sensepost.com/blog/2020/clash-of-the-spamtitan/

[Third Party Advisory] https://twitter.com/felmoltor

[Vendor Advisory] https://www.spamtitan.com/

Scores

CVSS v3 8.8

EPSS 0.1657

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

titanhq/spamtitan 7.07

Published Sep 17, 2020

Tracked Since Feb 18, 2026