[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FlexPaper <= 2.3.6 Remote Command Execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: FlexPaper <= 2.3.6 Remote Command Execution
From: Red Timmy Sec - <redazione@xxxxxxxxxxx>
Date: Sun, 10 Mar 2019 10:00:05 +0100 (CET)

Description
===========
FlexPaper (https://www.flowpaper.com) is an open source project, released under 
GPL license, quite widespread over the internet. It provides document viewing 
functionalities to web clients, mobile and tablet devices. At least until 2014 
the component has been actively used by WikiLeaks, when it was discovered to be 
affected by a XSS vulnerability subsequently patched.

Around one year ago Red Timmy Sec discovered a Remote Command Execution 
vulnerability on FlexPaper. The vendor was immediately contacted and a CVE 
registered (2018-11686). However the vulnerability itself has remained 
undisclosed until now, regardless the fact that a patch has been issued with 
the release 2.3.7 of the project.

Full analysis of this vulnerability can be found here: 
https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

Prev by Date: [SECURITY] [DSA 4404-1] chromium security update
Next by Date: [SECURITY] [DSA 4405-1] openjpeg2 security update
Previous by thread: [SECURITY] [DSA 4404-1] chromium security update
Next by thread: [SECURITY] [DSA 4405-1] openjpeg2 security update
Index(es):
- Date
- Thread