CVE-2021-37770

Published: Jun 30, 2022Modified: Jun 17, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with shell, treat it as PHP, execute commands, so as to take down website resources.

Affected (1)

Products: Nucleuscms: Nucleus Cms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nucleuscms Nucleus Cms	Version 3.71

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/NucleusCMS/NucleusCMS/issues/96

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://shimo.im/docs/Ch9CphJt8XwTvQ3d

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/NucleusCMS/NucleusCMS/issues/96

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://shimo.im/docs/Ch9CphJt8XwTvQ3d

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.