CVE-2020-15183

Reflected XSS leading to RCE in SoyCMS

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.

SoyCMS versiones 3.0.2 y anteriores, están afectadas por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado que conlleva a una Ejecución de Código Remota (RCE) a partir de una vulnerabilidad conocida. Esto permite a atacantes remotos forzar al administrador a editar archivos una vez que el administrador carga una página web especialmente diseñada

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-25 CVE Reserved
2020-09-17 CVE Published
2023-03-07 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48	Third Party Advisory

URL	Date	SRC
https://youtu.be/uAMAwH35ups	2024-08-04

URL	Date	SRC
https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707	2020-09-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Soycms Project Search vendor "Soycms Project"		Soycms Search vendor "Soycms Project" for product "Soycms"				<= 3.0.2 Search vendor "Soycms Project" for product "Soycms" and version " <= 3.0.2"		-		Affected