CVE-2020-27386

HIGH

FlexDotnetCMS <1.5.9 - RCE

Title source: llm

Description

An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form of a safe file type (e.g., a TXT file), and then using the FileEditor (in v1.5.8 and prior) or the FileManager's rename function (in v1.5.7 and prior) to rename the file to an executable extension (e.g., ASP), and finally executing the file via an HTTP GET request to /<path_to_file>.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Erik Wynter · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/flexdotnetcms_upload_exec.rb

View Code ZIP pw:eip

References (4)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/160411/FlexDotnetCMS-1.5.8-Arbitrary-ASP-File-Upload.html

[Exploit, Third Party Advisory] https://blog.vonahi.io/whats-in-a-re-name/

[Release Notes, Third Party Advisory] https://github.com/MacdonaldRobinson/FlexDotnetCMS/releases/tag/v1.5.9

[Exploit, Patch, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/14339

Scores

CVSS v3 8.8

EPSS 0.7795

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

flexdotnetcms_project/flexdotnetcms < 1.5.9

Published Nov 12, 2020

Tracked Since Feb 18, 2026