CVE-2020-15183 - OpenCVE

SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Soycms Project	Soycms

Configuration 1 [-]

cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707
https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48
https://youtu.be/uAMAwH35ups

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-09-17T20:10:13

Updated: 2024-08-04T13:08:22.471Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15183

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-17T20:15:13.417

Modified: 2020-09-23T20:00:52.373

Link: CVE-2020-15183

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "soycms", "vendor": "inunosinsi", "versions": [{"status": "affected", "version": "<= 3.0.2"}]}], "descriptions": [{"lang": "en", "value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-17T20:10:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"tags": ["x_refsource_MISC"], "url": "https://youtu.be/uAMAwH35ups"}], "source": {"advisory": "GHSA-33q6-4xmp-2f48", "discovery": "UNKNOWN"}, "title": "Reflected XSS leading to RCE in SoyCMS", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15183", "STATE": "PUBLIC", "TITLE": "Reflected XSS leading to RCE in SoyCMS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "soycms", "version": {"version_data": [{"version_value": "<= 3.0.2"}]}}]}, "vendor_name": "inunosinsi"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48", "refsource": "CONFIRM", "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"name": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707", "refsource": "MISC", "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"name": "https://youtu.be/uAMAwH35ups", "refsource": "MISC", "url": "https://youtu.be/uAMAwH35ups"}]}, "source": {"advisory": "GHSA-33q6-4xmp-2f48", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.471Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://youtu.be/uAMAwH35ups"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15183", "datePublished": "2020-09-17T20:10:13", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:22.471Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC0B8010-14FC-4DEC-8396-5532F44A5A2F", "versionEndIncluding": "3.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."}, {"lang": "es", "value": "SoyCMS versiones 3.0.2 y anteriores, est\u00e1n afectadas por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado que conlleva a una Ejecuci\u00f3n de C\u00f3digo Remota (RCE) a partir de una vulnerabilidad conocida. Esto permite a atacantes remotos forzar al administrador a editar archivos una vez que el administrador carga una p\u00e1gina web especialmente dise\u00f1ada"}], "id": "CVE-2020-15183", "lastModified": "2020-09-23T20:00:52.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-09-17T20:15:13.417", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://youtu.be/uAMAwH35ups"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}