CVE-2020-4041 — The filename of uploaded files vulnerable to stored XSS

Description

### Impact The filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. ### Patches This is fixed in Bolt 3.7.1. ### References Related issue: https://github.com/bolt/bolt/pull/7853

How to fix CVE-2020-4041

To remediate CVE-2020-4041, upgrade the affected package to a fixed version below.

—upgrade to 3.7.1 or later

Is CVE-2020-4041 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-4041
PATCHgithub.com/bolt/bolt
WEBpacketstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html
WEBseclists.org/fulldisclosure/2020/Jul/4
WEB