[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] FlexPaper <= 2.3.6 Remote Command Execution

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] FlexPaper <= 2.3.6 Remote Command Execution
From: redazione@xxxxxxxxxxx
Date: Sun, 10 Mar 2019 09:49:24 +0100 (CET)

Description
===========
FlexPaper (https://www.flowpaper.com) is an open source project, released under 
GPL license, quite widespread over the internet.  It provides document viewing 
functionalities to web clients, mobile and tablet devices. At least until 2014 
the component has been actively used by WikiLeaks, when it was discovered to be 
affected by a XSS vulnerability subsequently patched.

Around one year ago Red Timmy Sec discovered a Remote Command Execution 
vulnerability on FlexPaper. The vendor was immediately contacted and a CVE 
registered (2018-11686). However the vulnerability itself has remained 
undisclosed until now, regardless the fact that a patch has been issued with 
the release 2.3.7 of the project.

Full analysis of this vulnerability can be found here: 
https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2019-9649 CoreFTP FTP / SFTP Server v2 - Build 674 MDTM Directory Traversal
Next by Date: [FD] WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
Previous by thread: [FD] CVE-2019-9649 CoreFTP FTP / SFTP Server v2 - Build 674 MDTM Directory Traversal
Next by thread: [FD] WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion
Index(es):
- Date
- Thread