First published: Fri Jan 15 2021(Updated: )
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Flatcore Flatcore | <=2.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2021-23837 is medium, with a CVSS score of 6.5.
CVE-2021-23837 affects flatCore CMS versions up to and including 2.0.0.
CVE-2021-23837 belongs to CWE category 89.
We do not provide guidance or support for exploiting vulnerabilities. It is important to follow responsible disclosure practices and report any findings to the software vendor.
To fix CVE-2021-23837, it is recommended to update flatCore CMS to version 2.0.0 build 139 or later, as this vulnerability has been patched in that release.