CVE-2020-8644
CVE-2020-8644
In short
PlaySMS versions before 1.4.3 fail to properly clean user inputs, allowing attackers to inject and execute malicious code. This can lead to complete system compromise.
Technical detail
CWE-94 (Code Injection) vulnerability in PlaySMS <1.4.3 due to insufficient input sanitization. An attacker can inject arbitrary code through unsanitized input parameters, potentially achieving remote code execution with system-level privileges. Pre-condition: access to input vectors (e.g., web forms, API endpoints); impact includes data theft, system takeover, and lateral movement.
Summary generated and translated by AI from the official description.
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.4★ 2cve_referencepacketstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48335unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.htmlhttps://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8644