CVE-2020-23972
published 2020-08-27CVE-2020-23972: In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
31.44%
98.1th percentile
In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gmapfp | gmapfp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the GMapFP upload endpoint — no session/auth token required by the application ↗
- →Look for multipart file uploads where the filename uses a double extension pattern (e.g., .html.gif) combined with a mismatched Content-Type of text/html to bypass upload restrictions ↗
- →Alert on POST requests containing the form field option=com_gmapfp targeting the upload_image or edit_upload task parameters ↗
- →Monitor web-accessible paths /images/stories/gmapfp/ and /images/gmapfp/ for newly created .html or .html.gif files, which indicate successful exploitation ↗
- ·The exploit works against both the paid (J3.5) and free (J3.5free) variants of the GMapFP component; detections should cover both the 'com_gmapfp' and 'comgmapfp' option parameter values observed in the PoC template ↗
- ·The multipart boundary used in the PoC is fixed (----WebKitFormBoundarySHHbUsfCoxlX1bpS); real-world attackers may vary this, so boundary-based signatures alone are insufficient ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mhx3-6rjm-4cmc: In Joomla Component GMapFP Version J3
ghsa_unreviewed·2022-05-24
CVE-2020-23972 [MEDIUM] GHSA-mhx3-6rjm-4cmc: In Joomla Component GMapFP Version J3
In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.
VulnCheck
gmapfp gmapfp Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 7.5
CVE-2020-23972 [HIGH] gmapfp gmapfp Unrestricted Upload of File with Dangerous Type
gmapfp gmapfp Unrestricted Upload of File with Dangerous Type
In Joomla Component GMapFP Version J3.5 and J3.5free, an attacker can access the upload function without authenticating to the application and can also upload files which due to issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions.
Affected: gmapfp gmapfp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
No detection rules found.
Exploit-DB
Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
exploitdb·2020-12-01·CVSS 7.5
CVE-2020-23972 [HIGH] Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
---
# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
# Google Dork: inurl:''com_gmapfp''
# Date: 2020-03-27
# Exploit Author: ThelastVvV
# Vendor Homepage: https://gmapfp.org/
# Version:Version J3.5 /J3.5free
# Tested on: Ubuntu
# CVE: CVE-2020-23972
# Description:
An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions
# PoC:
Version J3.5
http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload
-Once the attacker can locate the unauthe
Nuclei
Joomla! Component GMapFP 3.5 - Arbitrary File Upload
nuclei·CVSS 7.5
CVE-2020-23972 [HIGH] Joomla! Component GMapFP 3.5 - Arbitrary File Upload
Joomla! Component GMapFP 3.5 - Arbitrary File Upload
Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
Template:
id: CVE-2020-23972
info:
name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
author: dwisiswant0
severity: high
description: |
Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.htmlhttps://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.mdhttp://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.htmlhttps://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
2020-08-27
Published
Exploited in the wild