cbcvebase.
CVE-2020-27387
published 2020-11-05

CVE-2020-27387: An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and…

PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.46%
96.9th percentile
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.

Affected

1 ranges
VendorProductVersion rangeFixed in
horizontcms_projecthorizontcms

Detection & IOCsextracted from sources · hover to see the quote

url/admin/file-manager/fileupload
url/admin/file-manager/rename
url/storage/file_name
path/admin/file-manager/fileupload
filename.htaccess
  • Monitor for HTTP POST requests to /admin/file-manager/fileupload followed by a POST to /admin/file-manager/rename — this two-step sequence is characteristic of the Metasploit exploit module for CVE-2020-27387.
  • Alert on HTTP GET requests to /storage/<filename> immediately after file upload/rename activity on HorizontCMS — this is the payload execution step.
  • Detect upload of .htaccess or *.hello extension files via the HorizontCMS Media Files upload functionality, which can be used to bypass PHP extension filters and enable RCE.
  • For linux/windows targets, the exploit uploads a PHP web shell and then delivers a staged payload via multiple HTTP GET requests to that shell — look for repeated GET requests to a newly uploaded file in /storage/.
  • ·Exploitation requires valid credentials for a HorizontCMS account in the Admin, Manager, or Editor group — this is the default configuration. Restrict FileManager access to reduce attack surface.
  • ·The original CVE-2020-27387 PHP extension block was bypassed (CVE-2021-28428) via .htaccess + arbitrary extension upload; blocking PHP extensions alone is insufficient — block .htaccess uploads as well.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.