CVE-2020-37054

EUVD-2020-30927
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
VulnCheckCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
naviwebsnavigate_cms
2.8.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://sourceforge.net/projects/navigatecms
https://www.exploit-db.com/exploits/48548
https://www.navigatecms.com/en/home
https://www.vulncheck.com/advisories/navigate-cms-cross-site-request-forgery