cbcvebase.
CVE-2020-23972
published 2020-08-27

CVE-2020-23972: In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
31.44%
98.1th percentile
In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.

Affected

1 ranges
VendorProductVersion rangeFixed in
gmapfpgmapfp

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=upload_image
url/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload
path/images/stories/gmapfp/
path/images/gmapfp/
filename*.html.gif
othercom_gmapfp
  • Detect unauthenticated POST requests to the GMapFP upload endpoint — no session/auth token required by the application
  • Look for multipart file uploads where the filename uses a double extension pattern (e.g., .html.gif) combined with a mismatched Content-Type of text/html to bypass upload restrictions
  • Alert on POST requests containing the form field option=com_gmapfp targeting the upload_image or edit_upload task parameters
  • Monitor web-accessible paths /images/stories/gmapfp/ and /images/gmapfp/ for newly created .html or .html.gif files, which indicate successful exploitation
  • ·The exploit works against both the paid (J3.5) and free (J3.5free) variants of the GMapFP component; detections should cover both the 'com_gmapfp' and 'comgmapfp' option parameter values observed in the PoC template
  • ·The multipart boundary used in the PoC is fixed (----WebKitFormBoundarySHHbUsfCoxlX1bpS); real-world attackers may vary this, so boundary-based signatures alone are insufficient

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.