CVE-2017-20063: Unrestricted Upload of File with Dangerous Type in Elefant CMS
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50253%
CWE
Published
6/21/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
elefant/cms | composer | < 1.3.13 | 1.3.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly affects the /filemanager/upload/drop
endpoint's file upload functionality. The PoC demonstrates uploading a .php5
file containing PHP code, which was improperly allowed. While exact function names
aren't provided in disclosures, the endpoint's handler function
is clearly responsible for insufficient file type validation
. The CWE-434 classification and attack pattern confirm this is an unrestricted dangerous file type upload issue.