← back
CVE-2020-8644

CVE-2020-8644

CVSS 9.8 CRITICALEPSS 86.7%● KEVCWE-94
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 86.7%KEV simPoC públicaPatch
Lifecycle
05 Feb 2020Published on NVD
16 Apr 2020Public PoC
03 Nov 2021Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

PlaySMS versions before 1.4.3 fail to properly clean user inputs, allowing attackers to inject and execute malicious code. This can lead to complete system compromise.

Technical detail

CWE-94 (Code Injection) vulnerability in PlaySMS <1.4.3 due to insufficient input sanitization. An attacker can inject arbitrary code through unsanitized input parameters, potentially achieving remote code execution with system-level privileges. Pre-condition: access to input vectors (e.g., web forms, API endpoints); impact includes data theft, system takeover, and lateral movement.

Summary generated and translated by AI from the official description.
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found3
githubgithub.com/H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.42cve_referencepacketstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48335unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.htmlhttps://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8644