CVE-2021-23837

MEDIUM

flatcore < 2.0.0 - Time-Based Blind SQL Injection via selected_folder Parameter

Title source: llm
STIX 2.1

Description

An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved.

References (3)

Core 3
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/flatCore/flatCore-CMS
Third Party Advisory x_refsource_misc
https://sec-consult.com/vulnerability-lab/

Scores

CVSS v3 6.5
EPSS 0.0146
EPSS Percentile 70.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-89
Status published
Products (1)
flatcore/flatcore < 2.0.0
Published Jan 15, 2021
Tracked Since Feb 18, 2026