Skip to main content

CMSUno 1.6.2 - Remote Code Execution [Authenticated] (password.php) | CVE-2020-25557


Vendorhttps://github.com/boiteasite/cmsuno/
Version: 1.6.2
Vulnerability: Code Injection
CVECVE-2020-25557 

Exploit-DB: https://www.exploit-db.com/exploits/49031

Analysis

If you read my other blog post about CMSuno, this vulnerability will be familiar to you because the problem is the same. So I will not go into much detail in this article. The problem here is when you change your username and password your username and password will go to the password.php file without any filtering like below.

This is the content of the password.php file.

While you are changing your password you can inject PHP code into the $user parameter. After that, when you log in to the application your malicious PHP code will be run.