CVE-2020-37113

Summary

GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature.

Affected Software

VendorProductVersion RangeStatus
OpeneclassGUnet OpenEclass1.7.3 (2007)affected

Weaknesses

  • CWE-434: Improper Neutralization of Special Elements in a File Name or Extension (File Upload)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References