High severity8.8NVD Advisory· Published Nov 12, 2020· Updated Jun 17, 2026
CVE-2020-27386
CVE-2020-27386
Description
An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form of a safe file type (e.g., a TXT file), and then using the FileEditor (in v1.5.8 and prior) or the FileManager's rename function (in v1.5.7 and prior) to rename the file to an executable extension (e.g., ASP), and finally executing the file via an HTTP GET request to /<path_to_file>.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- FlexDotnetCMS/FlexDotnetCMSdescription
- Range: <1.5.9
Patches
Vulnerability mechanics
References
4- blog.vonahi.io/whats-in-a-re-name/nvdExploitThird Party Advisory
- github.com/rapid7/metasploit-framework/pull/14339nvdExploitPatchThird Party Advisory
- packetstormsecurity.com/files/160411/FlexDotnetCMS-1.5.8-Arbitrary-ASP-File-Upload.htmlnvdThird Party AdvisoryVDB Entry
- github.com/MacdonaldRobinson/FlexDotnetCMS/releases/tag/v1.5.9nvdRelease NotesThird Party Advisory
News mentions
0No linked articles in our index yet.