CVE-2020-24139

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 05:24:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Certain versions of Wcms from Wcms contain the following vulnerability:

Server-side request forgery in Wcms 0.3.2 lets an attacker send crafted requests from the back-end server of a vulnerable web application via the path parameter to wex/cssjs.php. It can help identify open ports, local network hosts and execute command on local services.

  • CVE-2020-24139 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.3 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED LOW LOW LOW

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
SSRF Vulnerability in wcms/wcms/wex/cssjs.php · Issue #8 · vedees/wcms · GitHub github.com
text/html
URL Logo MISC github.com/vedees/wcms/issues/8
research/CVE-2020-24139.md at main · secwx/research · GitHub github.com
text/html
URL Logo MISC github.com/secwx/research/blob/main/cve/CVE-2020-24139.md

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationWcmsWcms0.3.2AllAllAll
  • cpe:2.3:a:wcms:wcms:0.3.2:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2020-24139 : Server-side request forgery in Wcms 0.3.2 lets an attacker send crafted requests from the back-end… twitter.com/i/web/status/1… 2021-04-07 16:05:38
Twitter Icon @LinInfoSec Php - CVE-2020-24139: github.com/vedees/wcms/is… 2021-04-07 22:28:51