CVE-2020-15050
published 2020-07-13CVE-2020-15050: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory…
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
50.73%
98.8th percentile
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supremainc | biostar_2 | < 2.8.2 | 2.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect LFI exploitation attempts by matching HTTP GET requests containing excessive path traversal sequences (../../../../) targeting Windows system files such as win.ini in the URL path. ↗
- →Match HTTP response body for the strings 'bit app support', 'fonts', and 'extensions' simultaneously — these are win.ini section markers confirming successful LFI file read. ↗
- ·The vulnerability exists specifically in the Video Extension component of BioStar 2, not the core product — detection should be scoped to endpoints served by that extension. ↗
- ·The exploit was tested on Windows targets only; traversal payload targets Windows-specific paths (win.ini). Linux-hosted deployments may use different traversal targets. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Bio Star 2.8.2 - Local File Inclusion
exploitdb·2020-07-26·CVSS 7.5
CVE-2020-15050 [HIGH] Bio Star 2.8.2 - Local File Inclusion
Bio Star 2.8.2 - Local File Inclusion
---
# Exploit Title: Bio Star 2.8.2 - Local File Inclusion
# Authors: SITE Team (Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi)
# Google Dork: N/A
# Date of Exploit Release: 2020-07-13
# Exploit Author: SITE Team
# Vendor Homepage: https://www.supremainc.com/en/main.asp
# Software Link: https://www.supremainc.com/en/support/biostar-2-pakage.asp
# Version: Bio Star 2, Video Extension up to version 2.8.2
# Tested on: Windows
# CVE : CVE-2020-15050
#!/bin/bash
# Exploit Title: Video Extension of Bio Star up to 2.8.1 Local File Inclusion Exploit
# Authors: SITE Team (Rian Saaty, Bashaer AlHarthy, Safeyah Alhazmi)
# Google Dork: N/A
# Date of Exploit Release: 13/7/2020
# Exploit Author: SITE Team
# Vendor Homepage: https://www.supremainc.com/en/main.as
Nuclei
Suprema BioStar <2.8.2 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2020-15050 [HIGH] Suprema BioStar <2.8.2 - Local File Inclusion
Suprema BioStar <2.8.2 - Local File Inclusion
Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion.
Template:
id: CVE-2020-15050
info:
name: Suprema BioStar <2.8.2 - Local File Inclusion
author: gy741
severity: high
description: Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion.
impact: |
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
remediation: |
Upgrade Suprema BioStar to version 2.8.2 or later to fix the LFI vulnerability.
reference:
- http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-Fi
No writeups or analysis indexed.
2020-07-13
Published