CVE-2021-23835: Input Validation
First published: Fri Jan 15 2021(Updated: )
An issue was discovered in flatCore before 2.0.0 build 139. A local file disclosure vulnerability was identified in the docs_file HTTP request body parameter for the acp interface. This can be exploited with admin access rights. The affected parameter (which retrieves the contents of the specified file) was found to be accepting malicious user input without proper sanitization, thus leading to retrieval of backend server sensitive files, e.g., /etc/passwd, SQLite database files, PHP source code, etc.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Flatcore Flatcore | <=2.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-23835.
What is the severity rating of CVE-2021-23835?
CVE-2021-23835 has a severity rating of medium.
What is the affected software for CVE-2021-23835?
The affected software for CVE-2021-23835 is flatCore before version 2.0.0 build 139.
What is the description of CVE-2021-23835?
CVE-2021-23835 is a local file disclosure vulnerability in the docs_file HTTP request body parameter for the acp interface in flatCore before 2.0.0 build 139, which can be exploited with admin access rights.
How can CVE-2021-23835 be exploited?
CVE-2021-23835 can be exploited with admin access rights by manipulating the docs_file parameter in the acp interface of flatCore CMS.
- collector/nvd-index
- vendor/flatcore
- canonical/flatcore flatcore
- version/flatcore flatcore/2.0.0