Vulnerability Details : CVE-2020-4041
In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-4041
- cpe:2.3:a:boltcms:bolt:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-4041
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-4041
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N |
2.8
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2020-4041
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2020-4041
-
https://github.com/bolt/bolt/pull/7853
Check CSRF on Preview page by bobdenotter · Pull Request #7853 · bolt/bolt · GitHubPatch;Third Party Advisory
-
http://seclists.org/fulldisclosure/2020/Jul/4
Full Disclosure: Bolt CMS <= 3.7.0 Multiple Vulnerabilities - CSRF to RCEExploit;Mailing List;Third Party Advisory
-
https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j
The filename of uploaded files vulnerable to stored XSS · Advisory · bolt/bolt · GitHubPatch;Third Party Advisory
-
http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html
Bolt CMS 3.7.0 XSS / CSRF / Shell Upload ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f
Merge pull request #7853 from bolt/fix/csrf-check-on-preview · bolt/bolt@b42cbfc · GitHubPatch;Third Party Advisory
Jump to