Platform
php
Component
pmb
Fixed in
5.6.1
CVE-2020-36970 describes a local file disclosure vulnerability found in PMB version 5.6. This flaw allows attackers to read arbitrary files on the system by manipulating the 'chemin' parameter within the getgif.php script. Successful exploitation could lead to the exposure of sensitive information, potentially compromising the entire system. The vulnerability was published on 2026-01-28, and mitigation involves upgrading to a patched version of PMB.
The primary impact of CVE-2020-36970 is the unauthorized disclosure of sensitive system files. An attacker can craft a malicious request to the getgif.php endpoint, manipulating the 'chemin' parameter to specify the path to a file they wish to read. This could include configuration files containing database credentials, source code with embedded secrets, or even system files like /etc/passwd, which contains user account information. The blast radius extends to any data accessible by the web server process. While the vulnerability requires local access to the web server, it presents a significant risk in environments where the web server has elevated privileges or access to sensitive resources.
Exploitation context for CVE-2020-36970 is currently limited. There is no indication of this vulnerability being added to the CISA KEV catalog or being actively exploited in the wild. Public proof-of-concept exploits are not widely available. The vulnerability's relatively simple nature suggests that it could be exploited if discovered by malicious actors, particularly in environments with poor security practices.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2020-36970 is to upgrade PMB to a version that includes a fix for this vulnerability. Unfortunately, the specific fixed version is not provided. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the getgif.php endpoint or implementing strict input validation on the 'chemin' parameter. Web application firewalls (WAFs) can be configured to block requests containing suspicious file paths. Regularly review web server logs for unusual activity related to the getgif.php endpoint. After upgrading, confirm the vulnerability is resolved by attempting to access a sensitive file via the 'chemin' parameter and verifying that access is denied.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la divulgación de archivos locales. Validar y sanitizar correctamente la entrada del parámetro 'chemin' para evitar el acceso a archivos no autorizados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-36970 is a vulnerability in PMB 5.6 that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter in getgif.php.
If you are running PMB version 5.6, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of PMB. If upgrading is not immediately possible, implement temporary workarounds like restricting access to getgif.php or validating the 'chemin' parameter.
There is currently no evidence of CVE-2020-36970 being actively exploited in the wild, but the vulnerability's simplicity suggests it could be exploited if discovered.
Refer to the PMB project's official website or security advisories for the latest information and updates regarding CVE-2020-36970.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.