CVE-2020-15189 MEDIUM

CVE-2020-15189: Remote Code Execution in SOY CMS

Vendor Inunosinsi
Product soycms
Weakness CWE-434 · Unrestricted file upload
Published September 18, 2020
Last update August 4, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328.

Key dates

02Disclosure timeline

September 18, 2020 CVE published
August 4, 2024 Record updated