QwikSec

Security Database

CVE

CWE

Training

CVE-2020-35734

Published: Feb 15, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://batflat.org/en/changelog

x_refsource_MISC

https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/

x_refsource_MISC

https://github.com/sruupl/batflat/issues/98

x_refsource_MISC

http://packetstormsecurity.com/files/161457/Batflat-CMS-1.3.6-Remote-Code-Execution.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.