Headline
CVE-2020-21474: File upload vulnerability in Nucleus CMS v3.71 · Issue #95 · NucleusCMS/NucleusCMS
File Upload vulnerability in NucleusCMS v.3.71 allows a remote attacker to execute arbitrary code via the /nucleus/plugins/skinfiles/?dir=rsd parameter.
Description: I found a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without. Htaccess file. Upload an. Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, we can upload a picture with shell, treat it as PHP, execute our commands, so as to take down the whole website Resources and permissions for.
Because I don’t know why my picture can’t be uploaded, so I wrote the detailed utilization process in this page, hope you can see it
https://shimo.im/docs/Ch9CphJt8XwTvQ3d
I would like to submit this vulnerability to CVE mitre. I hope you can fix this vulnerability as soon as possible
Looking forward to your response.