CVE-2020-21474 – CVE-2020-21474 is a critical file upload vulner... (How to Fix)

Q: What is the severity of CVE-2020-21474?

CVE-2020-21474 has a CVSS score of 9.8 (CRITICAL). CVE-2020-21474 is a critical file upload vulnerability in NucleusCMS v3.71 that allows remote attackers to upload malicious files and execute arbitrary code on the server. This affects all installations running the vulnerable version of this content management system.

📋 TL;DR

CVE-2020-21474 is a critical file upload vulnerability in NucleusCMS v3.71 that allows remote attackers to upload malicious files and execute arbitrary code on the server. This affects all installations running the vulnerable version of this content management system.

💻 Affected Systems

Products:

NucleusCMS

Versions: Version 3.71

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable plugin directory accessible via web.

📦 What is this software?

Nucleuscms by Nucleuscms

View all CVEs affecting Nucleuscms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or use as a foothold for lateral movement within the network.

🟠

Likely Case

Webshell installation allowing persistent backdoor access, data exfiltration, and further exploitation of the server.

🟢

If Mitigated

Limited impact if file uploads are disabled or proper file type validation is implemented at the web application firewall level.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires direct access to the vulnerable endpoint with no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.72 or later

Vendor Advisory: https://github.com/NucleusCMS/NucleusCMS/issues/95

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace all files except configuration and upload directories. 4. Verify the fix by checking the version number.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Add web server rules to block access to the vulnerable plugin directory

# Apache: RewriteRule ^/nucleus/plugins/skinfiles/ - [F,L]
# Nginx: location ~ ^/nucleus/plugins/skinfiles/ { deny all; }

Disable file uploads

all

Modify CMS configuration to disable file upload functionality

# Edit nucleus/config.php and set $CONF['AllowUpload'] = 0;

🧯 If You Can't Patch

Implement strict file upload validation at the web application firewall level
Restrict network access to the CMS administration interface

🔍 How to Verify

Check if Vulnerable:

Check if accessing /nucleus/plugins/skinfiles/?dir=rsd returns a file upload interface without authentication

Check Version:

Check the VERSION file in the nucleus directory or view the admin dashboard

Verify Fix Applied:

Verify the version is 3.72+ and the vulnerable endpoint no longer allows arbitrary file uploads

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /nucleus/plugins/skinfiles/ with file uploads
Unusual file creation in web-accessible directories

Network Indicators:

POST requests to the vulnerable endpoint with executable file extensions
Outbound connections from the web server to unknown IPs

SIEM Query:

source="web_server" AND (uri="/nucleus/plugins/skinfiles/" OR uri="/nucleus/plugins/skinfiles/?dir=rsd")

📊 Metadata

CVE ID: CVE-2020-21474

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 20, 2023

Last Updated: December 10, 2024

🔗 References

https://github.com/NucleusCMS/NucleusCMS/issues/95 Exploit,Issue Tracking
https://github.com/NucleusCMS/NucleusCMS/issues/95 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21474, you might also want to check these: