cbcvebase.
CVE-2020-8644
published 2020-02-05

CVE-2020-8644: PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
86.69%
99.7th percentile
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

Affected

1 ranges
VendorProductVersion rangeFixed in
playsmsplaysms< 1.4.31.4.3

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?app=main&inc=core_auth&route=login
url/index.php?app=main&inc=core_auth&route=login&op=login
pathsrc/Playsms/Tpl.php
command{{`printf <base64_payload>|base64 -d |sh`}}
command{{<payload>}}
other%7B%7B%60echo%20%27CVE-2020-8644%27%20%7C%20rev%60%7D%7D
  • Detect SSTI payload pattern in the username POST parameter: look for double-curly-brace template syntax (e.g., `{{...}}`) submitted to /index.php?app=main&inc=core_auth&route=login&op=login
  • A 302 redirect to index.php?app=main&inc=core_auth&route=login on a GET to index.php is used by exploit modules as a fingerprint that the target is a vulnerable PlaySMS instance
  • Monitor for backtick command-execution syntax inside TPL template double-curly-brace expressions in HTTP POST body username fields, e.g., {{`...`}}
  • The nuclei template checks for the reversed string '4468-0202-EVC' in the response body as a proof-of-execution indicator for CVE-2020-8644
  • ·The exploit requires a valid CSRF token extracted from the login page before submitting the malicious username; detection rules must account for this two-step request pattern
  • ·The payload is base64-encoded to bypass HTML tag and semicolon filters applied by the application; detection must decode or match encoded variants
  • ·The vulnerability exists in the TPL template engine's _compile() method via double-processing; the malicious value is stored first and executed on a second render, meaning the payload execution is deferred to a subsequent GET request

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.