Login Sign Up

CVE-2020-35760

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-35760 is an unrestricted file upload vulnerability in bloofoxCMS that allows attackers to upload malicious PHP files. This can lead to remote code execution and complete system compromise. All users running bloofoxCMS 0.5.2.1 are affected.

💻 Affected Systems

Products:
  • bloofoxCMS
Versions: 0.5.2.1
Operating Systems: Any OS running bloofoxCMS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of bloofoxCMS 0.5.2.1 are vulnerable by default. No special configuration required.

📦 What is this software?

Bloofoxcms by Bloofox

View all CVEs affecting Bloofoxcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover via remote code execution, data theft, defacement, and lateral movement within the network.

🟠

Likely Case

Webshell deployment leading to data exfiltration, website defacement, and server compromise.

🟢

If Mitigated

File uploads blocked or properly validated, limiting impact to denial of service if upload attempts occur.

🌐 Internet-Facing: HIGH - Web applications with file upload functionality are prime targets for automated exploitation.
🏢 Internal Only: MEDIUM - Internal applications could still be exploited by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple file upload bypass with no authentication required. Exploitation tools and scripts are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - bloofoxCMS appears abandoned

Vendor Advisory: https://github.com/alexlang24/bloofoxCMS/issues/9

Restart Required: No

Instructions:

No official patch exists. Consider migrating to alternative CMS or implementing strict file upload validation.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement server-side file type validation and restrict uploads to safe extensions only

Modify upload handling code to validate file extensions and MIME types
Implement file content checking

Web Application Firewall Rules

all

Block PHP file uploads at the WAF level

Add WAF rule: deny requests with Content-Type containing 'php' in file uploads
Block file extensions: .php, .phtml, .php3, .php4, .php5, .php7

🧯 If You Can't Patch

  • Disable file upload functionality completely in bloofoxCMS
  • Implement network segmentation to isolate bloofoxCMS from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if running bloofoxCMS version 0.5.2.1. Attempt to upload a PHP file through the CMS interface.

Check Version:

Check CMS admin panel or read version files in installation directory

Verify Fix Applied:

Test file upload functionality with PHP files - they should be rejected. Verify file validation is implemented.

📡 Detection & Monitoring

Log Indicators:

  • File upload attempts with .php extensions
  • Unusual POST requests to upload endpoints
  • Webshell access patterns in access logs

Network Indicators:

  • POST requests with PHP file uploads to CMS endpoints
  • Outbound connections from CMS server to unknown IPs

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR uri_path="*admin*") AND (file_extension="php" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2020-35760
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: June 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35760, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)