CVE-2020-37113
HIGH WAF: Medium
CVSS 8.8
Published: 2026-02-03
CWE-434
GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gunet | open_eclass_platform | 1.7.3 |
References
- download.openeclass.org (Release Notes)
- www.exploit-db.com (Exploit, Third Party Advisory, VDB Entry)
- www.openeclass.org (Product)
- www.vulncheck.com (Third Party Advisory)