Vulnerability
Remote code execution (RCE) vulnerability in the Upload File functionality in Flatpress 1.2.1
Description
The application has the functionality to upload images and download them further. The
download functionality is not sandboxed, and it does not have proper security control which can be
bypassed by tricking webserver and uploading dangerous file types which leads to RCE.
CVE-ID
CVE-2022-40048
Vendor
Flatpress
Product
FlatPress v1.2.1
Disclosure Timeline
Reported On: 27th May 2022
Made Public On: 27th Sep 2022
Fixed On: 1st Oct 2022
Credits
Sandeep Wawdane