Plataforma
php
Componente
chevereto-free
Corrigido em
3.13.5
CVE-2020-37186 is a critical Remote Code Execution (RCE) vulnerability discovered in Chevereto, an image sharing script. This flaw allows attackers to inject and execute arbitrary code during the database configuration installation process. Versions of Chevereto 3.13.4 and earlier are affected. A fix is available via upgrading to a patched version.
The vulnerability lies in how Chevereto handles the database table prefix during installation. An attacker can manipulate this parameter to write a PHP shell file to the server's filesystem. Subsequently, they can execute arbitrary system commands through a crafted POST request. This effectively grants the attacker complete control over the affected server, enabling them to steal sensitive data, install malware, or use the server as a launchpad for further attacks. The potential blast radius is significant, as a compromised Chevereto instance can expose the entire server and potentially connected systems.
This vulnerability has gained significant attention due to its ease of exploitation and the potential for widespread impact. While no active campaigns have been definitively linked to CVE-2020-37186, the availability of public proof-of-concept exploits increases the risk of opportunistic attacks. The vulnerability was publicly disclosed on 2026-02-11. It is not currently listed on CISA KEV.
Organizations and individuals using Chevereto for image sharing, particularly those running older, unpatched versions (3.13.4 and earlier), are at significant risk. Shared hosting environments that host Chevereto installations are also vulnerable, as a compromise of one instance could potentially affect other users on the same server.
• php / web:
curl -X POST -d 'table_prefix=<?php system($_GET["cmd"]); ?>' http://your-chevereto-site/install/ | grep '<?php system($_GET["cmd"]); ?>'• generic web:
curl -I http://your-chevereto-site/install/Check response headers for unusual content or redirects. • generic web:
grep -r 'system($_GET["cmd"]);' /var/www/your-chevereto-site/*Search for the malicious PHP code within the Chevereto installation directory.
disclosure
Status do Exploit
EPSS
0.13% (percentil 33%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade Chevereto to a version that addresses this vulnerability. Consult the Chevereto website for the latest stable release. If immediate upgrading is not possible due to compatibility issues or downtime concerns, consider temporarily restricting access to the installation script or modifying the database configuration process to prevent malicious input. Web Application Firewalls (WAFs) configured to detect and block suspicious POST requests targeting the installation endpoint can also provide a layer of protection. Monitor Chevereto logs for unusual activity, particularly related to database configuration changes.
Actualice Chevereto a una versión posterior a 3.13.4 para corregir la vulnerabilidad de ejecución remota de código. Consulte el sitio web oficial de Chevereto para obtener las últimas actualizaciones y parches de seguridad.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-37186 is a critical RCE vulnerability in Chevereto versions 3.13.4 and earlier, allowing attackers to execute arbitrary code during database configuration.
Yes, if you are running Chevereto version 3.13.4 or earlier, you are vulnerable to this RCE exploit. Upgrade immediately.
Upgrade Chevereto to the latest stable version available on the official Chevereto website. Consider temporary mitigation steps if immediate upgrading is not possible.
While no confirmed active campaigns are publicly known, the availability of public exploits increases the risk of exploitation.
Refer to the Chevereto website and security advisories for the latest information and updates regarding this vulnerability.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.