CVE-2020-24139 – CVE-2020-24139 is a server-side request forgery... (How to Fix)

Q: What is the severity of CVE-2020-24139?

CVE-2020-24139 has a CVSS score of 8.3 (HIGH). CVE-2020-24139 is a server-side request forgery (SSRF) vulnerability in Wcms 0.3.2 that allows attackers to make arbitrary HTTP requests from the vulnerable server via the path parameter in wex/cssjs.php. This enables attackers to scan internal networks, identify open ports, and potentially execute commands on local services. Anyone running Wcms 0.3.2 is affected.

📋 TL;DR

CVE-2020-24139 is a server-side request forgery (SSRF) vulnerability in Wcms 0.3.2 that allows attackers to make arbitrary HTTP requests from the vulnerable server via the path parameter in wex/cssjs.php. This enables attackers to scan internal networks, identify open ports, and potentially execute commands on local services. Anyone running Wcms 0.3.2 is affected.

💻 Affected Systems

Products:

Wcms

Versions: 0.3.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Wcms 0.3.2; earlier versions may also be vulnerable but not confirmed.

📦 What is this software?

Wcms by Wcms

View all CVEs affecting Wcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through command execution on internal services, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Internal network reconnaissance, port scanning, and potential access to internal services that shouldn't be exposed.

🟢

If Mitigated

Limited to port scanning and service enumeration without command execution if proper network segmentation exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.3 or later

Vendor Advisory: https://github.com/vedees/wcms/issues/8

Restart Required: No

Instructions:

1. Backup your Wcms installation. 2. Download Wcms 0.3.3 or later from the official repository. 3. Replace the vulnerable wex/cssjs.php file with the patched version. 4. Verify the fix by testing the SSRF vector.

🔧 Temporary Workarounds

Block access to wex/cssjs.php

all

Prevent access to the vulnerable endpoint via web server configuration

# For Apache: add to .htaccess
<Files "cssjs.php">
    Order allow,deny
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /wex/cssjs\.php$ {
    deny all;
    return 403;
}

Input validation filter

all

Add input validation to reject malicious path parameters

# Add to wex/cssjs.php before processing path parameter
if (preg_match('/^(http|https|ftp|file|gopher|ldap|dict):\/\//i', $_GET['path'])) {
    http_response_code(400);
    exit('Invalid path parameter');
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Wcms server from internal services
Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Test by accessing http://[wcms-server]/wex/cssjs.php?path=http://localhost:22 and checking if it returns SSH banner or error

Check Version:

Check Wcms version in admin panel or examine version.txt file in installation directory

Verify Fix Applied:

Attempt the same test after patching; should return error or be blocked

📡 Detection & Monitoring

Log Indicators:

Unusual requests to wex/cssjs.php with external URLs in path parameter
Multiple rapid requests to wex/cssjs.php with different port numbers

Network Indicators:

Outbound connections from Wcms server to internal services on unusual ports
Port scanning patterns originating from Wcms server

SIEM Query:

source="wcms_access.log" AND uri="/wex/cssjs.php" AND query="*path=http*"

📊 Metadata

CVE ID: CVE-2020-24139

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-918

Published: April 7, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/secwx/research/blob/main/cve/CVE-2020-24139.md Third Party Advisory
https://github.com/vedees/wcms/issues/8 Exploit,Technical Description
https://github.com/secwx/research/blob/main/cve/CVE-2020-24139.md Third Party Advisory
https://github.com/vedees/wcms/issues/8 Exploit,Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24139, you might also want to check these: