Published: 03/10/2018 Updated: 19/11/2018
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 690
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated malicious users to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.

Vulnerability Trend

Affected Products

Vendor Product Versions
NaviwebsNavigate Cms2.8


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Navigate CMS Un ...

Metasploit Modules

Navigate CMS Unauthenticated Remote Code Execution

This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.

msf > use exploit/multi/http/navigate_cms_rce
      msf exploit(navigate_cms_rce) > show targets
      msf exploit(navigate_cms_rce) > set TARGET <target-id>
      msf exploit(navigate_cms_rce) > show options
            ...show and set options...
      msf exploit(navigate_cms_rce) > exploit