Login Sign Up

CVE-2020-28693

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to upload malicious PHP files disguised as themes via zip archives in HorizontCMS. Once uploaded, the attacker can execute arbitrary PHP code on the server by accessing the file through a web request. This affects all HorizontCMS 1.0.0-beta installations with default configurations.

💻 Affected Systems

Products:
  • HorizontCMS
Versions: 1.0.0-beta
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to upload themes. Default installation is vulnerable.

📦 What is this software?

Horizontcms by Horizontcms Project

View all CVEs affecting Horizontcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing website defacement, data exfiltration, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact with proper file upload restrictions, but still potential for limited file system access if other vulnerabilities exist.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Multiple public proof-of-concept exploits available. Requires authenticated user account.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative CMS or implementing strict workarounds.

🔧 Temporary Workarounds

Restrict PHP file uploads

all

Configure web server to block execution of PHP files in themes directory

# Apache: Add to .htaccess in themes directory
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /themes/.*\.php$ {
    deny all;
    return 403;
}

Disable theme upload functionality

all

Remove or disable theme upload feature in HorizontCMS

# Remove theme upload form from admin interface
# Disable theme installation functionality in code

🧯 If You Can't Patch

  • Implement strict file upload validation: reject zip files, validate file extensions, scan for malicious content
  • Restrict authenticated user permissions: limit who can upload themes, implement multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check if running HorizontCMS 1.0.0-beta and test if authenticated users can upload zip files containing PHP files to themes directory

Check Version:

Check HorizontCMS version in admin panel or configuration files

Verify Fix Applied:

Test that PHP files cannot be executed from themes directory and zip uploads are properly validated

📡 Detection & Monitoring

Log Indicators:

  • Unusual theme uploads, zip file uploads to themes directory, PHP file execution from themes path

Network Indicators:

  • HTTP GET requests to /themes/*.php patterns, unusual file upload traffic

SIEM Query:

web_access_logs WHERE (uri LIKE '/themes/%.php' OR method='POST' AND uri LIKE '/admin/themes/upload%')

📊 Metadata

CVE ID: CVE-2020-28693
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: November 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28693, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)