CVE-2020-4041

Public Exploit

The filename of uploaded files vulnerable to stored XSS in Bolt CMS

Description

In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1.

References

Link	Tags
https://github.com/bolt/bolt/pull/7853	third party advisory patch
https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f	third party advisory patch
https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j	third party advisory patch
http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html	third party advisory vdb entry exploit
http://seclists.org/fulldisclosure/2020/Jul/4	mailing list third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2020-4041?: CVE-2020-4041 has been scored as a high severity vulnerability.
How to fix CVE-2020-4041?: To fix CVE-2020-4041, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-4041 being actively exploited in the wild?: It is possible that CVE-2020-4041 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-4041?: CVE-2020-4041 affects bolt bolt.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions