CVE-2020-15188
CRITICALSOY CMS <=3.0.2.327 - Unauthenticated Code Execution via Form Deserialization
Title source: manualDescription
SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp
Exploit, Third Party Advisory x_refsource_misc
https://github.com/inunosinsi/soycms/issues/10
Patch, Third Party Advisory x_refsource_misc
https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=zAE4Swjc-GU&feature=youtu.be
Scores
CVSS v3
10.0
EPSS
0.0508
EPSS Percentile
91.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
brassica/soy_cms
< 3.0.2.328
Published
Sep 18, 2020
Tracked Since
Feb 18, 2026