Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FlexPaper <= 2.3.6 Remote Command Execution

From: redazione () segfault it
Date: Sun, 10 Mar 2019 09:49:24 +0100 (CET)
Description
===========
FlexPaper (https://www.flowpaper.com) is an open source project, released under GPL license, quite widespread over the 
internet.  It provides document viewing functionalities to web clients, mobile and tablet devices. At least until 2014 
the component has been actively used by WikiLeaks, when it was discovered to be affected by a XSS vulnerability 
subsequently patched.

Around one year ago Red Timmy Sec discovered a Remote Command Execution vulnerability on FlexPaper. The vendor was 
immediately contacted and a CVE registered (2018-11686). However the vulnerability itself has remained undisclosed 
until now, regardless the fact that a patch has been issued with the release 2.3.7 of the project.

Full analysis of this vulnerability can be found here: 
https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: