cbcvebase.
CVE-2020-8641
published 2020-02-05

CVE-2020-8641: Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.81%
95.3th percentile
Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
lotus_core_cms_projectlotus_core_cms

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?page_slug=../../../../../etc/passwd%00
path/index.php
  • Look for GET requests to index.php with a page_slug parameter containing directory traversal sequences (e.g., '../') and a null byte (%00) to truncate the .php extension.
  • Exploitation requires authentication (PR:L). Monitor for authenticated sessions making traversal requests via the page_slug parameter.
  • A successful exploitation response will return HTTP 200 and contain the string matching 'root:.*:0:0:' (passwd file content) in the body.
  • ·The null byte (%00) truncation technique is required to bypass the .php extension appended by the CMS; this only works on PHP versions where null byte poisoning is effective (typically PHP < 5.3.4).
  • ·Only .php files can be included via this LFI vector, limiting the scope of directly readable file types without null byte bypass.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.