cbcvebase.
CVE-2020-29279
published 2020-12-02

CVE-2020-29279: PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
52.88%
98.8th percentile
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
74cms74cms< 6.0.486.0.48

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?m=home&a=assign_resume_tpl
pathApplication/Common/Controller/BaseController.class.php
pathdata/Runtime/Logs/Home/
  • Detect exploitation attempts by monitoring POST requests to /index.php?m=home&a=assign_resume_tpl with a 'tpl' parameter pointing to a log file path (e.g., data/Runtime/Logs/Home/*.log), which is the log-poisoning + file-inclusion chain used to achieve RCE.
  • A successful RCE response will contain both 'PHP Version' and the MD5 hash of the probe value in the response body with HTTP 200, indicating arbitrary PHP execution via the included log file.
  • An initial probe POST to assign_resume_tpl with an empty tpl parameter returning HTTP 404 with content-type text/html and body containing 'ThinkPHP' confirms the target is a vulnerable 74CMS instance running on ThinkPHP framework.
  • Use FOFA query app="骑士-74CMS" to identify internet-exposed 74CMS instances for proactive scanning and asset inventory.
  • ·The exploit is marked 'intrusive' — the detection probe actively POSTs to the target endpoint and attempts to include a runtime log file. This will generate real HTTP traffic and may trigger WAF/IDS alerts or cause side effects on the target.
  • ·The log file path used in the inclusion payload is time-dependent, constructed from the current date. Detection rules must account for dynamic path components (year, month, day) when pattern-matching the tpl parameter value.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.