CVE-2020-23972

HIGH EXPLOITED NUCLEI

Joomla Component GMapFP <J3.5/J3.5free - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-23972 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including ThelastVvV. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing an unauthenticated arbitrary file upload vulnerability in Joomla! Component GMapFP 3.5. The exploit involves bypassing file upload restrictions by manipulating content-type and using double extensions.

Description

In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.

Exploits (1)

exploitdb WRITEUP
by ThelastVvV · textwebappsphp
https://www.exploit-db.com/exploits/49129

This is a writeup describing an unauthenticated arbitrary file upload vulnerability in Joomla! Component GMapFP 3.5. The exploit involves bypassing file upload restrictions by manipulating content-type and using double extensions.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Joomla! Component GMapFP 3.5 / J3.5free
No auth needed
Prerequisites: Access to the target Joomla! instance with GMapFP component installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Joomla! Component GMapFP 3.5 - Arbitrary File Upload
HIGHby dwisiswant0

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.7316
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

VulnCheck KEV 2021-04-12
CWE
CWE-434
Status published
Products (1)
gmapfp/gmapfp j3.5 (2 CPE variants)
Published Aug 27, 2020
Tracked Since Feb 18, 2026