CVE-2020-36825 : ** UNSUPPORTED WHEN ASSIGNED ** ** DISPUTED ** A vulnerability has been found in

** UNSUPPORTED WHEN ASSIGNED ** ** DISPUTED ** A vulnerability has been found in cyberaz0r WebRAT up to 20191222 and classified as critical. This vulnerability affects the function download_file of the file Server/api.php. The manipulation of the argument name leads to unrestricted upload. The attack can be initiated remotely. The real existence of this vulnerability is still doubted at the moment. The patch is identified as 0c394a795b9c10c07085361e6fcea286ee793701. It is recommended to apply a patch to fix this issue. VDB-257782 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: The issue, discovered in a 20-stars GitHub project (now private) by its author, had CVE requested by a third party 4 years post-resolution, referencing the fix commit (now a broken link). Due to minimal attention and usage, it should not be eligible for CVE according to the project maintainer.

Published 2024-03-24 12:15:09

Updated 2024-08-04 18:15:52

Source VulDB

View at NVD, CVE.org

Products affected by CVE-2020-36825

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2020-36825

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-36825

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	VulDB	2024-03-24
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	2.8	3.4	VulDB	2024-03-24
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/V...	N/A	N/A	VulDB	2024-07-05
Attack Vector: Network Attack Complexity: Low Attack Requirements: None Privileges Required: Low User Interaction: None Confidentiality (VC): Low Integrity (VI): Low Availability (VA): Low

CWE ids for CVE-2020-36825

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: cna@vuldb.com (Primary)

References for CVE-2020-36825

https://vuldb.com/?id.257782

CVE-2020-36825: cyberaz0r WebRAT api.php download_file unrestricted upload
https://vuldb.com/?ctiid.257782

CVE-2020-36825: cyberaz0r WebRAT api.php download_file unrestricted upload
https://github.com/cyberaz0r/WebRAT/commit/0c394a795b9c10c07085361e6fcea286ee793701

Arbitrary PHP File Upload Vulnerability fixed · cyberaz0r/WebRAT@0c394a7 · GitHub

Jump to

Vulnerability Details : CVE-2020-36825

Products affected by CVE-2020-36825

Exploit prediction scoring system (EPSS) score for CVE-2020-36825

CVSS scores for CVE-2020-36825

CWE ids for CVE-2020-36825

References for CVE-2020-36825