CVE-2020-35734

Name of the Vulnerable Software and Affected Versions: Batflat version 1.3.6

Description: The issue allows an authenticated user to perform code injection, and consequently Remote Code Execution, via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data, such as username or displayed name. This issue only affects products that are no longer supported by the maintainer.

Recommendations: For version 1.3.6, as a temporary workaround, consider restricting access to the Users tab in the administration panel until a resolution can be determined, however, since the product is no longer supported, this may be the only available mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.