Login Sign Up

CVE-2020-15150

9.0 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the Paginator Elixir/Hex package allows remote attackers to execute arbitrary code by manipulating input parameters to the paginate() function. All users of Paginator versions prior to 1.0.0 are affected. The vulnerability enables complete system compromise through remote code execution.

💻 Affected Systems

Products:
  • Paginator (Elixir/Hex package)
Versions: All versions prior to 1.0.0
Operating Systems: All operating systems running Elixir applications
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using the vulnerable paginate() function. Requires Elixir version >=1.5 for the patched version.

📦 What is this software?

Paginator by Duffel

View all CVEs affecting Paginator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, allowing data theft, lateral movement, and persistent access.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential deployment of malware or ransomware.

🟢

If Mitigated

No impact if patched to version 1.0.0 or if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only manipulation of input parameters to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0

Vendor Advisory: https://github.com/duffelhq/paginator/security/advisories/GHSA-w98m-2xqg-9cvj

Restart Required: Yes

Instructions:

1. Update mix.exs to specify paginator version '~> 1.0.0'. 2. Run 'mix deps.update paginator'. 3. Recompile and restart your application.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation and sanitization for all parameters passed to paginate() function

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all paginate() function parameters
  • Deploy network segmentation and restrict access to affected applications

🔍 How to Verify

Check if Vulnerable:

Check mix.lock or mix.exs for paginator version. If version is <1.0.0, the system is vulnerable.

Check Version:

grep -A 2 'paginator' mix.lock

Verify Fix Applied:

Verify paginator version is >=1.0.0 in mix.lock and test paginate() function with malicious inputs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Elixir application
  • Suspicious paginate() function calls with unexpected parameters

Network Indicators:

  • Outbound connections from application to unexpected destinations
  • Command and control traffic patterns

SIEM Query:

source='application_logs' AND (message LIKE '%paginate%' AND (message LIKE '%exec%' OR message LIKE '%system%' OR message LIKE '%eval%'))

📊 Metadata

CVE ID: CVE-2020-15150
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: September 1, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15150, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)