Vulnerability CVE-2020-35734


Published: 2021-02-15

Description:
** UNSUPPORTED WHEN ASSIGNED ** Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

See advisories in our WLB2 database:
Topic
Author
Date
High
Batflat CMS 1.3.6 Remote Code Execution
mari0x00
18.02.2021

 References:
https://batflat.org/en/changelog
https://github.com/sruupl/batflat/issues/98
https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/

Copyright 2024, cxsecurity.com

 

Back to Top