CVE-2021-23837

Name of the Vulnerable Software and Affected Versions: flatCore versions prior to 2.0.0 build 139

Description: A time-based blind SQL injection issue was identified in the selected folder HTTP request body parameter for the acp interface. This parameter, which retrieves the file contents of the specified folder, was found to be accepting malicious user input without proper sanitization, leading to SQL injection. As a result, database-related information can be successfully retrieved.

Recommendations: For versions prior to 2.0.0 build 139, consider disabling the selected folder parameter in the acp interface until a patch is available. Restrict access to the acp interface to minimize the risk of exploitation. Avoid using the selected folder parameter in the affected HTTP request body until the issue is resolved.