CVE-2020-15183 - Vulnerability Details - OpenCVE

Description

SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.

Published: 2020-09-17

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

inunosinsi

soycms

affected

Version	Status	Constraints
`<= 3.0.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-7251	SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00771.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707
https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48
https://youtu.be/uAMAwH35ups

History

No history.

Subscriptions

Soycms Project Soycms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-09-17T20:10:13.000Z

Updated: 2024-08-04T13:08:22.471Z

Reserved: 2020-06-25T00:00:00.000Z

Link: CVE-2020-15183

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-17T20:15:13.417

Modified: 2024-11-21T05:05:01.533

Link: CVE-2020-15183

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "soycms", "vendor": "inunosinsi", "versions": [{"status": "affected", "version": "<= 3.0.2"}]}], "descriptions": [{"lang": "en", "value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-17T20:10:12.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"tags": ["x_refsource_MISC"], "url": "https://youtu.be/uAMAwH35ups"}], "source": {"advisory": "GHSA-33q6-4xmp-2f48", "discovery": "UNKNOWN"}, "title": "Reflected XSS leading to RCE in SoyCMS", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15183", "STATE": "PUBLIC", "TITLE": "Reflected XSS leading to RCE in SoyCMS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "soycms", "version": {"version_data": [{"version_value": "<= 3.0.2"}]}}]}, "vendor_name": "inunosinsi"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48", "refsource": "CONFIRM", "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"name": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707", "refsource": "MISC", "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"name": "https://youtu.be/uAMAwH35ups", "refsource": "MISC", "url": "https://youtu.be/uAMAwH35ups"}]}, "source": {"advisory": "GHSA-33q6-4xmp-2f48", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.471Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://youtu.be/uAMAwH35ups"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15183", "datePublished": "2020-09-17T20:10:13.000Z", "dateReserved": "2020-06-25T00:00:00.000Z", "dateUpdated": "2024-08-04T13:08:22.471Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC0B8010-14FC-4DEC-8396-5532F44A5A2F", "versionEndIncluding": "3.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage."}, {"lang": "es", "value": "SoyCMS versiones 3.0.2 y anteriores, est\u00e1n afectadas por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado que conlleva a una Ejecuci\u00f3n de C\u00f3digo Remota (RCE) a partir de una vulnerabilidad conocida. Esto permite a atacantes remotos forzar al administrador a editar archivos una vez que el administrador carga una p\u00e1gina web especialmente dise\u00f1ada"}], "id": "CVE-2020-15183", "lastModified": "2024-11-21T05:05:01.533", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-17T20:15:13.417", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://youtu.be/uAMAwH35ups"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://youtu.be/uAMAwH35ups"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}