VDB
CVE-2020-27304
CVE-2020-27304
PUBLISHED
The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal
EPSS 0.99% · 77.3th percentile
Risk Scores
EPSS Score
0.99%
77.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:24.04:LTS | civetweb | 1.16+dfsg-1build1, 1.16+dfsg-1, 0 |
| Ubuntu:22.04:LTS | civetweb | 1.15+dfsg-3, 0, 1.13+dfsg-5 |
| Ubuntu:25.10 | civetweb | *, 0 |
Exploit Intelligence
Timeline
- Oct 21, 2021 CVE Published
- Oct 22, 2021 EPSS Score
- Dec 17, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 11, 2022 EPSS Score
- Mar 9, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 9, 2022 EPSS Score
- Jul 31, 2022 EPSS Score
- Sep 25, 2022 EPSS Score
- Nov 20, 2022 EPSS Score
- Jan 16, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-27304 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-27304 third-party-advisory