CVE-2020-24036

HIGH

ForkCMS <5.8.3 - Command Injection

Title source: llm

Description

PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.

References (4)

[Product] http://forkcms.com

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Mar/31

[Exploit, Patch, Third Party Advisory] https://tech.feedyourhead.at/content/ForkCMS-PHP-Object-Injection-CVE-2020-24036

[Exploit, Patch, Third Party Advisory] https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-04

Scores

CVSS v3 8.8

EPSS 0.0099

EPSS Percentile 76.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

fork-cms/fork_cms < 5.8.3

Timeline

Published Mar 04, 2021

Tracked Since Feb 18, 2026