CVE-2021-23837: SQL Injection
First published: Fri Jan 15 2021(Updated: )
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Flatcore Flatcore | <=2.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-23837?
The severity of CVE-2021-23837 is medium, with a CVSS score of 6.5.
What is the affected software version of CVE-2021-23837?
CVE-2021-23837 affects flatCore CMS versions up to and including 2.0.0.
What is the CWE category for CVE-2021-23837?
CVE-2021-23837 belongs to CWE category 89.
How can I exploit CVE-2021-23837?
We do not provide guidance or support for exploiting vulnerabilities. It is important to follow responsible disclosure practices and report any findings to the software vendor.
How do I fix CVE-2021-23837?
To fix CVE-2021-23837, it is recommended to update flatCore CMS to version 2.0.0 build 139 or later, as this vulnerability has been patched in that release.
- collector/nvd-index
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/tags
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- vendor/flatcore
- canonical/flatcore flatcore
- version/flatcore flatcore/2.0.0