CVE-2020-36970 | THREATINT

Description

PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the 'chemin' parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted requests to the getgif.php endpoint.

PUBLISHED Reserved 2026-01-27 | Published 2026-01-28 | Updated 2026-01-28 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

5.6

affected

Credits

41-trk (Tarik Bakir) finder

References

www.exploit-db.com/exploits/49054 (ExploitDB-49054) exploit

www.sigb.net (Vendor Homepage) product

forge.sigb.net/redmine/projects/pmb/files (Software Download Repository) product

www.vulncheck.com/...sories/pmb-chemin-local-file-disclosure (VulnCheck Advisory: PMB 5.6 - 'chemin' Local File Disclosure) third-party-advisory

cve.org (CVE-2020-36970)

nvd.nist.gov (CVE-2020-36970)

Download JSON