CVE-2018-11686 – CVE-2018-11686 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2018-11686?

CVE-2018-11686 has a CVSS score of 9.8 (CRITICAL). CVE-2018-11686 is a critical remote code execution vulnerability in FlexPaper/FlowPaper's Publish Service. Attackers can execute arbitrary code on affected servers by exploiting setup.php and change_config.php files. This affects all organizations running vulnerable versions of FlexPaper/FlowPaper.

📋 TL;DR

CVE-2018-11686 is a critical remote code execution vulnerability in FlexPaper/FlowPaper's Publish Service. Attackers can execute arbitrary code on affected servers by exploiting setup.php and change_config.php files. This affects all organizations running vulnerable versions of FlexPaper/FlowPaper.

💻 Affected Systems

Products:

FlexPaper
FlowPaper

Versions: 2.3.6 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Publish Service to be enabled and accessible.

📦 What is this software?

Flexpaper by Flowpaper

View all CVEs affecting Flexpaper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to install malware, steal data, pivot to internal networks, or establish persistent backdoors.

🟠

Likely Case

Web server compromise leading to data theft, defacement, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and restricted file permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.7 and later

Vendor Advisory: https://flowpaper.com/blog/

Restart Required: No

Instructions:

1. Download latest version from flowpaper.com 2. Backup configuration 3. Replace files 4. Verify functionality

🔧 Temporary Workarounds

Remove vulnerable files

linux

Delete or restrict access to setup.php and change_config.php

rm /path/to/flexpaper/setup.php
rm /path/to/flexpaper/change_config.php

Web server restrictions

all

Block access to vulnerable endpoints via web server configuration

LocationMatch "^/(setup|change_config)\.php$"
Order deny,allow
Deny from all

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Deploy web application firewall with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if setup.php and change_config.php exist in FlexPaper/FlowPaper directory and are accessible via HTTP.

Check Version:

grep -r 'version' /path/to/flexpaper/ | grep -i '2\.3\.[0-6]'

Verify Fix Applied:

Verify files are removed/restricted and version is 2.3.7+

📡 Detection & Monitoring

Log Indicators:

HTTP requests to setup.php or change_config.php
Unusual POST requests with PHP code

Network Indicators:

Traffic patterns matching exploit payloads
Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND (uri="*setup.php*" OR uri="*change_config.php*")

📊 Metadata

CVE ID: CVE-2018-11686

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: July 3, 2019

Last Updated: November 21, 2024

🔗 References

https://flowpaper.com/blog/ Release Notes,Third Party Advisory
https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution Exploit,Patch,Third Party Advisory
https://flowpaper.com/blog/ Release Notes,Third Party Advisory
https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11686, you might also want to check these: