CVE-2020-37080
Published: 03 February 2026
Summary
CVE-2020-37080 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-37080 is a critical arbitrary file deletion vulnerability (CVSS 3.1 score of 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in webTareas 2.0.p8, specifically within the print_layout.php administration component. The flaw stems from CWE-73 (External Control of File Name or Path) and enables attackers to manipulate the 'atttmp1' parameter to specify and delete arbitrary files on the server.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows deletion of any file on the server, resulting in high impacts to confidentiality, integrity, and availability.
Advisories and related resources, including those from VulnCheck (https://www.vulncheck.com/advisories/webtareas-p-arbitrary-file-deletion), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48430), and the webTareas project page on SourceForge (https://sourceforge.net/projects/webtareas/), provide further details on the issue, though specific patch information is not detailed in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30995
Vulnerability details
webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the 'atttmp1' parameter to specify and delete files on the server through an…
more
unauthenticated file deletion mechanism.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file deletion vulnerability directly enables T1070.004 (File Deletion under Indicator Removal) and T1485 (Data Destruction) for impact on integrity/availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents CWE-73 external control of file name or path by validating inputs like the 'atttmp1' parameter to block arbitrary file deletion.
Enforces logical access controls to block unauthorized file deletion operations even if parameters are manipulated.
Remediates the specific flaw in print_layout.php through identification, prioritization, and correction of the arbitrary file deletion vulnerability.