cbcvebase.
CVE-2020-27386
published 2020-11-12

CVE-2020-27386: An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the…

PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
72.87%
99.4th percentile
An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form of a safe file type (e.g., a TXT file), and then using the FileEditor (in v1.5.8 and prior) or the FileManager's rename function (in v1.5.7 and prior) to rename the file to an executable extension (e.g., ASP), and finally executing the file via an HTTP GET request to /.

Affected

1 ranges
VendorProductVersion rangeFixed in
flexdotnetcms_projectflexdotnetcms< 1.5.91.5.9

Detection & IOCsextracted from sources · hover to see the quote

url/login
path/media/uploads/asp_payload
  • Look for authenticated POST requests to /login followed by file upload activity and subsequent rename operations targeting .asp extensions via the FileEditor or FileManager rename function.
  • Detect HTTP GET requests to /media/uploads/ paths with .asp extensions, which indicate execution of an uploaded and renamed payload.
  • Alert on TXT files uploaded to the FileManager that are subsequently renamed to executable extensions (e.g., .asp) — a two-stage upload-then-rename pattern is the core exploitation technique.
  • A residual TXT file copy of the ASP payload remains on the server after exploitation; scan /media/uploads/ for orphaned TXT files containing ASP code.
  • ·Valid authenticated credentials with FileManager permissions are required; this is not an unauthenticated exploit, so detections should focus on post-authentication abuse of file management endpoints.
  • ·The rename-to-ASP vector via FileEditor applies to v1.5.8 and prior; the FileManager rename vector applies to v1.5.7 and prior — tailor detection scope to the installed version.
  • ·The Metasploit module was validated specifically against Windows Server 2012; behavior on other OS/versions may differ.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.