CVE-2020-11803
SpamTitan 7.07 - Remote Code Execution (Authenticated)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page.
Se detectó un problema en Titan SpamTitan versión 7.07. Un saneamiento inapropiado del parámetro jaction cuando interactúa con la página mailqueue.php, podría conllevar a una evaluación del código PHP del lado del servidor, porque la entrada proporcionada por el usuario es pasada directamente a la función php eval(). El usuario debe estar autenticado en la plataforma web antes de interactuar con la página
SpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-15 CVE Reserved
- 2020-09-17 CVE Published
- 2020-09-18 First Exploit
- 2024-05-01 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/felmoltor | Third Party Advisory | |
| https://twitter.com/felmoltor | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/48817 | 2020-09-18 | |
| http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.html | 2024-08-04 | |
| https://sensepost.com/blog/2020/clash-of-the-spamtitan | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.spamtitan.com | 2021-07-21 |