CVE-2020-25790
published 2020-09-19CVE-2020-25790: Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the…
PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
15.58%
96.4th percentile
Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typesettercms | typesetter | 5.0 – 5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on GET requests to /data/_uploaded/file/*.php containing a query-string cmd parameter (e.g., ?cmd=id), indicating webshell execution after ZIP extraction. ↗
- →Detect the truncated User-Agent string 'Chrome/85.0.4183.102 Safari' (missing 'Safari/' version suffix) used by the public exploit script. ↗
- →Flag presence of .php files inside uploaded ZIP archives on Typesetter CMS instances; the exploit relies on uploading a ZIP containing a malicious .php file. ↗
- →Use the Google dork 'intext:"Powered by Typesetter"' to identify exposed Typesetter CMS instances for proactive asset discovery. ↗
- →Watch for the initial login POST to /Admin with fields including login_nonce, pass_md5, pass_sha, pass_sha512 — a fingerprint of the exploit's automated authentication flow. ↗
- ·The exploit requires authenticated admin credentials; it is not an unauthenticated RCE. Detection should focus on post-authentication abuse of the file manager rather than pre-auth exploitation. ↗
- ·The vendor disputes the severity, noting admins are trusted, but acknowledged the behavior contradicts their security policy and committed to fixing it in version 5.2. ↗
- ·The exploit script hardcodes a local proxy (127.0.0.1:8080) in the PROXIES dict but does not actually pass it to requests calls — traffic will not be proxied unless the script is modified. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159503/Typesetter-CMS-5.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/159615/Typesetter-CMS-5.1-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2020/Oct/11https://github.com/Typesetter/Typesetter/issues/674http://packetstormsecurity.com/files/159503/Typesetter-CMS-5.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/159615/Typesetter-CMS-5.1-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2020/Oct/11https://github.com/Typesetter/Typesetter/issues/674
2020-09-19
Published