Login Sign Up

CVE-2020-36079

7.2 HIGH
Remote Code Execution

📋 TL;DR

Zenphoto CMS versions through 1.5.7 allow authenticated administrators to upload arbitrary files, including PHP web shells, leading to remote code execution. This affects all Zenphoto installations with the vulnerable uploader plugin enabled. The vendor disputes the severity since exploitation requires admin privileges.

💻 Affected Systems

Products:
  • Zenphoto CMS
Versions: through 1.5.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires uploader plugin with elFinder enabled. Admin authentication is required for exploitation.

📦 What is this software?

Zenphoto by Zenphoto

View all CVEs affecting Zenphoto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via web shell upload, allowing attacker to execute arbitrary commands, steal data, pivot to internal networks, or maintain persistent access.

🟠

Likely Case

Privileged admin user (malicious or compromised) uploads PHP backdoor to gain persistent remote access and execute code on the web server.

🟢

If Mitigated

Limited impact due to admin-only access requirement and proper file upload restrictions in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials. Public proof-of-concept demonstrates file upload via drag-and-drop in elFinder interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://www.zenphoto.org/news/why-not-every-security-issue-is-really-an-issue/

Restart Required: No

Instructions:

No official patch. Vendor considers this expected admin functionality. Upgrade to latest version and implement workarounds.

🔧 Temporary Workarounds

Disable elFinder uploader

all

Remove or disable the elFinder file manager component from the uploader plugin.

Remove elFinder directory from plugins/uploader/

Restrict file upload extensions

linux

Configure web server to block execution of uploaded PHP files in upload directories.

Add to .htaccess: <FilesMatch "\.(php|php5|phtml)$">
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for admin accounts
  • Regularly audit uploaded files and server file system for suspicious PHP files

🔍 How to Verify

Check if Vulnerable:

Check Zenphoto version in admin dashboard or readme.txt. If version ≤1.5.7 and uploader plugin with elFinder is enabled, system is vulnerable.

Check Version:

Check admin dashboard or readme.txt file in Zenphoto root directory

Verify Fix Applied:

Verify elFinder is disabled or removed from uploader plugin. Test file upload functionality with PHP files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to uploader plugin, especially PHP files
  • Admin account activity from unexpected locations/times

Network Indicators:

  • HTTP POST requests to upload endpoints with PHP file content
  • Subsequent requests to uploaded PHP files

SIEM Query:

source="web_server" (uri_path="/plugins/uploader/" AND method="POST") OR (uri_path CONTAINS ".php" AND referrer CONTAINS "uploader")

📊 Metadata

CVE ID: CVE-2020-36079
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: February 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36079, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)