CVE-2020-35580

Name of the Vulnerable Software and Affected Versions: SearchBlox versions prior to 9.2.2

Description: A local file inclusion issue in the FileServlet allows remote, unauthenticated users to read arbitrary files from the operating system via a "/searchblox/servlet/FileServlet?col=url=" request. This may be used to read the contents of the SearchBlox configuration file, which contains the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.

Recommendations: For versions prior to 9.2.2, update to version 9.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the FileServlet to minimize the risk of exploitation. Avoid using the col and url parameters in the affected API endpoint until the issue is resolved.