cbcvebase.
CVE-2020-25538
published 2020-11-13

CVE-2020-25538: An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.85%
95.0th percentile
An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
cmsuno_projectcmsuno

Detection & IOCsextracted from sources · hover to see the quote

url/uno/central.php
path/uno/central.php
path/uno.php
commandaction=sauvePass&unox=<token>&user0=&pass0=&user=&pass=&lang=<payload>
otherX-Requested-With: XMLHttpRequest
other";$pass='<pass>';system('<cmd>');?>//
  • Monitor POST requests to /uno/central.php containing the 'lang' parameter with PHP code injection patterns (e.g., system(), passthru(), exec()) and the action=sauvePass parameter.
  • Alert on the RCE payload pattern in HTTP POST body: a double-quote followed by semicolon, $pass= assignment, system() call, and PHP closing tag ?>// — characteristic of this exploit's injection string.
  • Use Google dork signatures to identify exposed CMSuno instances: inurl:uno/central.php, inurl:uno/config.php, inurl:uno.php intitle:"CMSUno - Login".
  • The exploit performs a login to /uno.php first, then POSTs the malicious payload to /uno/central.php; correlate sequential POST requests to both endpoints from the same source IP as a behavioral indicator.
  • The anti-CSRF token 'unox' is extracted via regex /name="unox" value="([a-f0-9]{32}?)"/ (unauthenticated) and /Unox='([a-f0-9]{32}?)'/ (authenticated); presence of these patterns in scraped responses indicates active exploit reconnaissance.
  • ·The 'lang' technique produces blind RCE only — no command output is returned in the HTTP response, making detection via response content inspection ineffective for this vector.
  • ·The exploit affects both CMSuno 1.6.1 and 1.6.2; detection rules should not be scoped exclusively to version 1.6.2.
  • ·Exploitation requires prior authentication; detections should account for a valid login session being established before the injection POST is sent.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.