Cyber Resilience

CVE-2020-37080

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37080 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37080 is a critical arbitrary file deletion vulnerability (CVSS 3.1 score of 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in webTareas 2.0.p8, specifically within the print_layout.php administration component. The flaw stems from CWE-73 (External Control of File Name or Path) and enables attackers to manipulate the 'atttmp1' parameter to specify and delete arbitrary files on the server.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows deletion of any file on the server, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and related resources, including those from VulnCheck (https://www.vulncheck.com/advisories/webtareas-p-arbitrary-file-deletion), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48430), and the webTareas project page on SourceForge (https://sourceforge.net/projects/webtareas/), provide further details on the issue, though specific patch information is not detailed in the CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the 'atttmp1' parameter to specify and delete files on the server through an…

more

unauthenticated file deletion mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Arbitrary file deletion vulnerability directly enables T1070.004 (File Deletion under Indicator Removal) and T1485 (Data Destruction) for impact on integrity/availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23898Shared CWE-73
CVE-2025-0105Shared CWE-73
CVE-2026-25605Shared CWE-73
CVE-2025-66292Shared CWE-73
CVE-2020-37078Shared CWE-73
CVE-2026-28442Shared CWE-73
CVE-2026-3892Shared CWE-73
CVE-2024-12267Shared CWE-73
CVE-2025-9048Shared CWE-73
CVE-2025-66254Shared CWE-73

Affected Assets

Sourceforge
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents CWE-73 external control of file name or path by validating inputs like the 'atttmp1' parameter to block arbitrary file deletion.

prevent

Enforces logical access controls to block unauthorized file deletion operations even if parameters are manipulated.

prevent

Remediates the specific flaw in print_layout.php through identification, prioritization, and correction of the arbitrary file deletion vulnerability.

References