First published: Fri Jan 15 2021(Updated: )
An issue was discovered in flatCore before 2.0.0 build 139. A local file disclosure vulnerability was identified in the docs_file HTTP request body parameter for the acp interface. This can be exploited with admin access rights. The affected parameter (which retrieves the contents of the specified file) was found to be accepting malicious user input without proper sanitization, thus leading to retrieval of backend server sensitive files, e.g., /etc/passwd, SQLite database files, PHP source code, etc.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Flatcore Flatcore | <=2.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2021-23835.
CVE-2021-23835 has a severity rating of medium.
The affected software for CVE-2021-23835 is flatCore before version 2.0.0 build 139.
CVE-2021-23835 is a local file disclosure vulnerability in the docs_file HTTP request body parameter for the acp interface in flatCore before 2.0.0 build 139, which can be exploited with admin access rights.
CVE-2021-23835 can be exploited with admin access rights by manipulating the docs_file parameter in the acp interface of flatCore CMS.