cbcvebase.
CVE-2021-27513
published 2021-02-22

CVE-2021-27513: The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
28.39%
97.9th percentile
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."

Affected

1 ranges
VendorProductVersion rangeFixed in
eyesofnetworkeyesofnetwork

Detection & IOCsextracted from sources · hover to see the quote

url/module/admin_itsm/ajax.php
filename.xml.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|0d 0a 0d 0a|<?php
  • Detect exploit attempts by monitoring for HTTP POST requests to /module/admin_itsm/ajax.php containing a PHP webshell payload (CRLF+CRLF followed by <?php) and the multipart field name 'itsm_type_request' in the request body.
  • Alert on uploads of double-extension files (.xml.php) to the admin_ITSM module, which bypass the client-side filter ('le filtre userside') to achieve remote code execution.
  • ·The file upload filter is enforced client-side only ('le filtre userside'), meaning server-side validation is absent and the restriction can be trivially bypassed by any authenticated user.
  • ·The Snort/Suricata rule (sid:2034160) is rated confidence Medium; tune accordingly in high-noise environments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.