CVE-2020-15188

CRITICAL

SOY CMS <3.0.2.327 - RCE

Title source: llm

Description

SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328.

References (4)

[Exploit, Third Party Advisory] https://github.com/inunosinsi/soycms/issues/10

[Patch, Third Party Advisory] https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020

[Exploit, Third Party Advisory] https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp

[Exploit, Third Party Advisory] https://www.youtube.com/watch?v=zAE4Swjc-GU&feature=youtu.be

Scores

CVSS v3 10.0

EPSS 0.0469

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

brassica/soy_cms < 3.0.2.328

Timeline

Published Sep 18, 2020

Tracked Since Feb 18, 2026