VDB

CVE-2020-27304

CVE-2020-27304 PUBLISHED

The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal

EPSS 0.99% · 77.3th percentile

Risk Scores

EPSS Score
0.99%
77.3th percentile

Affected Products

VendorProductVersions
Ubuntu:24.04:LTScivetweb1.16+dfsg-1build1, 1.16+dfsg-1, 0
Ubuntu:22.04:LTScivetweb1.15+dfsg-3, 0, 1.13+dfsg-5
Ubuntu:25.10civetweb*, 0

Timeline

  • Oct 21, 2021 CVE Published
  • Oct 22, 2021 EPSS Score
  • Dec 17, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 11, 2022 EPSS Score
  • Mar 9, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Apr 9, 2022 EPSS Score
  • Jul 31, 2022 EPSS Score
  • Sep 25, 2022 EPSS Score
  • Nov 20, 2022 EPSS Score
  • Jan 16, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›