An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
Published 2020-11-05 02:15:12
Updated 2022-10-19 15:58:30
Source MITRE
View at NVD,   CVE.org

Products affected by CVE-2020-27387

Exploit prediction scoring system (EPSS) score for CVE-2020-27387

17.64%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-27387

  • HorizontCMS Arbitrary PHP File Upload
    Disclosure Date: 2020-09-24
    First seen: 2020-11-13
    exploit/multi/http/horizontcms_upload_exec
    This module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands. The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to

CVSS scores for CVE-2020-27387

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.5
MEDIUM AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
NIST
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

CWE ids for CVE-2020-27387

References for CVE-2020-27387

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!