cbcvebase.
CVE-2020-13774
published 2020-11-12

CVE-2020-13774: An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code…

PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
4.75%
90.8th percentile
An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager
ivantiendpoint_manager

Detection & IOCsextracted from sources · hover to see the quote

pathEditLaunchPadDialog.aspx
  • Monitor for ASPX file uploads to EditLaunchPadDialog.aspx on Ivanti Endpoint Manager servers, particularly multipart POST requests containing .aspx file extensions in the uploaded image field.
  • Look for residual/temporary ASPX files left in web-accessible directories on the server following a failed upload operation, as these may be exploitable webshells.
  • Alert on HTTP GET/POST requests to newly created .aspx files in directories served by the Ivanti Endpoint Manager web application, especially those not matching known application files.
  • ·Exploitation requires an authenticated session; unauthenticated access alone is insufficient to trigger the file upload vulnerability.
  • ·Affected versions are specifically Ivanti Endpoint Manager 2019.1 and 2020.1; detections should be scoped to these versions.
  • ·The vulnerability is rooted in insufficient file extension validation (CWE-434); detection logic should focus on extension-based bypass techniques (e.g., double extensions, null bytes) in upload requests to EditLaunchPadDialog.aspx.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.