CVE-2020-8644

CRITICAL KEV NUCLEI

PlaySMS <1.4.3 - XSS

Title source: llm

Description

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/48335

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by H3rm1tR3b0rn · remote-auth

https://github.com/H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.4

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/playsms_template_injection.rb

View Code ZIP pw:eip

Nuclei Templates (1)

playSMS <1.4.3 - Remote Code Execution

CRITICALby dbrwsky

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html

[Broken Link, Release Notes, Vendor Advisory] https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704

[Vendor Advisory] https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/

[Exploit] https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8644

Scores

CVSS v3 9.8

EPSS 0.9406

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-29492

CWE

CWE-94

Status published

Products (1)

playsms/playsms < 1.4.3

Published Feb 05, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026