CyberSec.Space Logo
Back to CVE Browser

CVE-2020-8644

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score50.6150%
EPSS Percentile93.68th
PublishedFeb 5, 2020
Last ModifiedNov 7, 2025

Vulnerability Description

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

Affected Platforms (CPE)

πŸ“¦
Playsms

Playsms

< 1.4.3

References & Advisories

πŸ”— http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html
πŸ”— https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704
πŸ”— https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/
πŸ”— https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
πŸ”— http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html
πŸ”— https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704
πŸ”— https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/
πŸ”— https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/

Related Vulnerabilities

CVE-2021-403739.8

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and t...

CVE-2017-91019.8

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTT...

CVE-2017-90808.8

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a...

CVE-2018-183878.8

playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.