Arbitrary Code Execution via Image Extension Manipulation in CuppaCMS File Manager

Arbitrary Code Execution via Image Extension Manipulation in CuppaCMS File Manager

CVE-2020-26048 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The file manager option in CuppaCMS before 2019-11-12 allows an authenticated attacker to upload a malicious file within an image extension and through a custom request using the rename function provided by the file manager is able to modify the image extension into PHP resulting in remote arbitrary code execution.

Learn more about our Cms Pen Testing.