CVE-2020-13424

MEDIUM

XCloner < 3.5.4 - Authenticated Local File Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13424. PoCs published by mkelepce.

AI-analyzed exploit summary This PoC demonstrates a Local File Inclusion (LFI) vulnerability in Joomla! Plugin XCloner Backup 3.5.3, allowing authenticated users to read arbitrary files via directory traversal in the 'file' parameter.

Description

The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.

Exploits (1)

nomisec WORKING POC

by mkelepce · poc

https://github.com/mkelepce/CVE-2020-13424

View Code ZIP pw:eip

This PoC demonstrates a Local File Inclusion (LFI) vulnerability in Joomla! Plugin XCloner Backup 3.5.3, allowing authenticated users to read arbitrary files via directory traversal in the 'file' parameter.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Joomla! Plugin XCloner Backup 3.5.3

Auth required

Prerequisites: Authenticated access to Joomla administrator panel

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version/

Scores

CVSS v3 6.5

EPSS 0.0171

EPSS Percentile 74.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

Status published

Products (1)

xcloner/xcloner < 3.5.4

Published May 23, 2020

Tracked Since Feb 18, 2026