CVE-2020-29279
published 2020-12-02CVE-2020-29279: PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
52.88%
98.8th percentile
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 74cms | 74cms | < 6.0.48 | 6.0.48 |
Detection & IOCsextracted from sources · hover to see the quote
pathdata/Runtime/Logs/Home/
- →Detect exploitation attempts by monitoring POST requests to /index.php?m=home&a=assign_resume_tpl with a 'tpl' parameter pointing to a log file path (e.g., data/Runtime/Logs/Home/*.log), which is the log-poisoning + file-inclusion chain used to achieve RCE.
- →A successful RCE response will contain both 'PHP Version' and the MD5 hash of the probe value in the response body with HTTP 200, indicating arbitrary PHP execution via the included log file.
- →An initial probe POST to assign_resume_tpl with an empty tpl parameter returning HTTP 404 with content-type text/html and body containing 'ThinkPHP' confirms the target is a vulnerable 74CMS instance running on ThinkPHP framework.
- →Use FOFA query app="骑士-74CMS" to identify internet-exposed 74CMS instances for proactive scanning and asset inventory.
- ·The exploit is marked 'intrusive' — the detection probe actively POSTs to the target endpoint and attempts to include a runtime log file. This will generate real HTTP traffic and may trigger WAF/IDS alerts or cause side effects on the target.
- ·The log file path used in the inclusion payload is time-dependent, constructed from the current date. Detection rules must account for dynamic path components (year, month, day) when pattern-matching the tpl parameter value.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j5rq-6w98-hx99: PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController
ghsa_unreviewed·2022-05-24
CVE-2020-29279 [CRITICAL] GHSA-j5rq-6w98-hx99: PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
VulnCheck
74cms 74cms Improper Control of Generation of Code ('Code Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-29279 [CRITICAL] 74cms 74cms Improper Control of Generation of Code ('Code Injection')
74cms 74cms Improper Control of Generation of Code ('Code Injection')
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
Affected: 74cms 74cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://app.crowdsec.net/cti/cve-explorer/CVE-2020-29279
No detection rules found.
Nuclei
74CMS - Remote File Inclusion
nuclei·CVSS 9.8
CVE-2020-29279 [CRITICAL] 74CMS - Remote File Inclusion
74CMS - Remote File Inclusion
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
Template:
id: CVE-2020-29279
info:
name: 74CMS - Remote File Inclusion
author: DhiyaneshDK
severity: critical
description: |
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
impact: |
Remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: |
Update to version 6.0.48 or later.
reference:
- https://github.com/Ares-X/VulWiki/blob/master/Web%E5%AE%89%E5%85%A8/74cms/74cms%20v6.0.48%E6%A8%A1%E7%89%88%E6%B3%A8%E5%85%A
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
2020-12-02
Published
Exploited in the wild