What is CVE-2020-24949?

CVE-2020-24949 is a vulnerability in N/a. Published 2020-09-03.

Is CVE-2020-24949 known to be exploited?

11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2020-24949

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).

EPSS: 0.914 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

r90tpass/CVE-2020-24949
20142995/nuclei-templates
404notf0und/CVE-Flow
ARPSyndicate/cvemon
ARPSyndicate/kenzer-templates
StarCrossPortal/scalpel
anonymous364872/Rapier_
apif-review/APIF_
apit-review-account/apit-tool
nomi-sec/PoC-in-GitHub

References

github.com/php-fusion/PHP-Fusion/issues/2312 (x_refsource_MISC)
packetstormsecurity.com/files/162852/PHPFusion-9.03.50-Remote-Code-Execution.ht… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-24949?: CVE-2020-24949 is a vulnerability in N/a. Published 2020-09-03.
Is CVE-2020-24949 known to be exploited?: 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.