CVE-2020-24140

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 05:21:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Certain versions of Wcms from Wcms contain the following vulnerability:

Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end server of a vulnerable web application via the pagename parameter to wex/html.php. It can help identify open ports, local network hosts and execute command on local services.

  • CVE-2020-24140 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.3 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED LOW LOW LOW

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
research/CVE-2020-24140.md at main · secwx/research · GitHub github.com
text/html
URL Logo MISC github.com/secwx/research/blob/main/cve/CVE-2020-24140.md
SSRF Vulnerability in wcms/wcms/wex/html.php · Issue #11 · vedees/wcms · GitHub github.com
text/html
URL Logo MISC github.com/vedees/wcms/issues/11

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationWcmsWcms0.3.2AllAllAll
  • cpe:2.3:a:wcms:wcms:0.3.2:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2020-24140 : Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end… twitter.com/i/web/status/1… 2021-04-07 16:06:03
Twitter Icon @LinInfoSec Php - CVE-2020-24140: github.com/vedees/wcms/is… 2021-04-07 22:28:52