Remote Code Execution Vulnerability Discovered in Jumbo Website Manager v1.3.7
What Happened — A publicly‑available exploit (EDB‑ID 52504) demonstrates that an attacker can upload a malicious PHP PHAR file to Jumbo Website Manager 1.3.7, bypassing file‑type checks and achieving remote code execution on the underlying Linux host. The flaw stems from insecure file‑upload handling in the backup manager component.
Why It Matters for TPRM —
- RCE in a widely‑distributed open‑source CMS can be leveraged to compromise any downstream service that hosts the application.
- Third‑party sites that embed or rely on Jumbo Website Manager inherit the same attack surface.
- Lack of a CVE means many organizations may be unaware of the risk until an exploit is observed in the wild.
Who Is Affected — Web‑hosting providers, digital agencies, SaaS platforms, and any organization that deploys Jumbo Website Manager (primarily TECH_SAAS and OTHER sectors).
Recommended Actions —
- Inventory all instances of Jumbo Website Manager; verify version numbers.
- Immediately upgrade to a patched release or apply mitigations (e.g., strict MIME type validation, file‑extension whitelisting, web‑application firewall rules).
- Conduct a focused penetration test on the backup manager endpoint.
- Review third‑party risk contracts for clauses covering unpatched open‑source components.
Technical Notes — The exploit abuses the /jumbo_files/jumbo/backupmanager/fileupload/php.php endpoint, allowing arbitrary file upload (.phar disguised as .jbox). Once the malicious payload is stored, it can be executed via PHP’s deserialization mechanisms, granting full system privileges. No CVE has been assigned yet. Source: Exploit Database – EDB‑52504