An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/160936/flatCore-CMS-XSS-File-Disclosure-SQL-Injection.html | Exploit Third Party Advisory VDB Entry |
https://github.com/flatCore/flatCore-CMS | Product Third Party Advisory |
https://sec-consult.com/vulnerability-lab/ | Third Party Advisory |
Configurations
Information
Published : 2021-01-14 23:15
Updated : 2021-01-22 09:27
NVD link : CVE-2021-23837
Mitre link : CVE-2021-23837
JSON object : View
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Products Affected
flatcore
- flatcore