Path traversal vulnerability found in flatpressblog/flatpress

Valid

Reported on

Dec 4th 2022

Description

please check this link

https://demos4.softaculous.com/FlatPressfgbu50zqaa/fp-content/

Proof of Concept

https://prnt.sc/0UGovVLWcKo7

Impact

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago

commented a year ago

Researcher

@admin sir any update

A flatpressblog/flatpress maintainer validated this vulnerability a year ago

Nilabh Rajpoot has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 9c4e5d a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 22nd 2023

commented a year ago

Researcher

@admin sir can please assign CVE

commented a year ago

Admin

Hi Nilabh, the maintainer has the choice to assign a CVE at the point of publishing.

commented a year ago

Admin

The CVE will go out on Feb 22nd 2023

commented 9 months ago

Researcher

@admin sir any update

Ben Harvie published this vulnerability 9 months ago

commented 9 months ago

Admin

A CVE has been assigned to this report (CVE-2023-0947).

to join this conversation

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago

commented a year ago

Researcher

@admin sir any update

A flatpressblog/flatpress maintainer validated this vulnerability a year ago

Nilabh Rajpoot has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 9c4e5d a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 22nd 2023

commented a year ago

Researcher

@admin sir can please assign CVE

commented a year ago

Admin

Hi Nilabh, the maintainer has the choice to assign a CVE at the point of publishing.

commented a year ago

Admin

The CVE will go out on Feb 22nd 2023

commented 9 months ago

Researcher

@admin sir any update

Ben Harvie published this vulnerability 9 months ago

commented 9 months ago

Admin

A CVE has been assigned to this report (CVE-2023-0947).

to join this conversation