Authenticated arbitrary file upload to RCE Product : Zenphoto Affected : Zenphoto CMS - <= 1.5.7 Attack Type : Remote login then go to plugins then go to uploader and press on the check box elFinder then press apply , after that you go to upload then Files(elFinder) drag and drop any malicious php code after that go to /uploaded/ and you're php code -------------------------------------------------------------------------------------------- Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. [Reference] https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/ https://twitter.com/3almisfer https://github.com/azizalshammari/ ------------------------------------------ [Discoverer] Abdulaziz Almisfer CVE-2020-36079