CVE-2020-25790 – Typesetter CMS 5.x through 5.1 allows authentic... (How to Fix)

Q: What is the severity of CVE-2020-25790?

CVE-2020-25790 has a CVSS score of 7.2 (HIGH). Typesetter CMS 5.x through 5.1 allows authenticated administrators to upload ZIP archives containing PHP files, which can then be executed on the server. This vulnerability enables remote code execution by privileged users who have admin access. While the vendor disputes the severity since admins are considered trustworthy, this contradicts their security policy and poses a significant risk.

📋 TL;DR

Typesetter CMS 5.x through 5.1 allows authenticated administrators to upload ZIP archives containing PHP files, which can then be executed on the server. This vulnerability enables remote code execution by privileged users who have admin access. While the vendor disputes the severity since admins are considered trustworthy, this contradicts their security policy and poses a significant risk.

💻 Affected Systems

Products:

Typesetter CMS

Versions: 5.x through 5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with admin users who have file upload privileges. The vendor disputes significance but acknowledges it contradicts security policy.

📦 What is this software?

Typesetter by Typesettercms

View all CVEs affecting Typesetter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with compromised admin credentials could execute arbitrary PHP code, leading to complete system compromise, data theft, defacement, or installation of persistent backdoors.

🟠

Likely Case

A malicious insider or an attacker who has obtained admin credentials through other means could execute arbitrary code to gain control of the CMS and underlying server.

🟢

If Mitigated

With proper access controls and admin credential protection, the risk is limited to authorized administrators who would need to intentionally exploit the vulnerability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials. Multiple public exploit details are available in the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2

Vendor Advisory: https://github.com/Typesetter/Typesetter/issues/674

Restart Required: No

Instructions:

1. Backup your Typesetter installation and database. 2. Download Typesetter 5.2 or later from the official repository. 3. Replace all files with the new version, preserving your data directory. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Restrict Admin File Uploads

all

Disable ZIP file upload functionality for admin users or restrict uploads to non-executable file types.

Modify Typesetter configuration to remove ZIP upload capability from admin interface

Web Server File Execution Restriction

linux

Configure web server to block execution of PHP files from upload directories.

For Apache: Add 'php_flag engine off' to .htaccess in upload directories
For Nginx: Add 'location ~ \.php$ { deny all; }' for upload paths

🧯 If You Can't Patch

Implement strict access controls for admin accounts with multi-factor authentication
Monitor file upload activities and audit admin actions regularly

🔍 How to Verify

Check if Vulnerable:

Check your Typesetter version in the admin panel or by examining the installation files. Versions 5.0 through 5.1 are vulnerable.

Check Version:

Check admin dashboard or examine /index.php for version information

Verify Fix Applied:

After upgrading, verify the version shows 5.2 or later in the admin interface and test that PHP files in ZIP archives cannot be executed.

📡 Detection & Monitoring

Log Indicators:

Unusual ZIP file uploads by admin users
Execution of PHP files from upload directories
Admin login from unexpected locations

Network Indicators:

HTTP POST requests with ZIP files to admin upload endpoints
Unexpected outbound connections from web server

SIEM Query:

source="web_logs" AND (uri_path="/Admin/Upload" OR uri_path CONTAINS ".zip") AND user_role="admin"

📊 Metadata

CVE ID: CVE-2020-25790

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: September 19, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/159503/Typesetter-CMS-5.1-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/159615/Typesetter-CMS-5.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Oct/11 Mailing List,Third Party Advisory
https://github.com/Typesetter/Typesetter/issues/674 Third Party Advisory
http://packetstormsecurity.com/files/159503/Typesetter-CMS-5.1-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/159615/Typesetter-CMS-5.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Oct/11 Mailing List,Third Party Advisory
https://github.com/Typesetter/Typesetter/issues/674 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25790, you might also want to check these: