Login Sign Up

CVE-2020-35734

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users in Batflat CMS to inject malicious code through user profile fields, leading to remote code execution. It affects Batflat 1.3.6 installations where users have access to the administration panel. Note that this product is no longer supported by the maintainer.

💻 Affected Systems

Products:
  • Batflat CMS
Versions: 1.3.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with authenticated user access to administration panel. Product is no longer supported.

📦 What is this software?

Batflat by Batflat

View all CVEs affecting Batflat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.

🟠

Likely Case

Attacker with valid credentials gains shell access, modifies website content, steals data, or installs backdoors.

🟢

If Mitigated

Limited impact if proper access controls, input validation, and monitoring are in place to detect suspicious activity.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires valid admin credentials. Multiple public exploit scripts and detailed write-ups available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://batflat.org/en/changelog

Restart Required: No

Instructions:

No official patch available as product is no longer supported. Consider migrating to supported CMS.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add server-side input validation for all user profile fields to prevent code injection.

Modify /inc/core/users.class.php to sanitize input before processing

Access Restriction

all

Restrict access to administration panel to trusted IP addresses only.

Add IP whitelisting to .htaccess or web server configuration

🧯 If You Can't Patch

  • Immediately change all admin passwords and implement strong password policies
  • Monitor user profile modification logs and set alerts for suspicious changes

🔍 How to Verify

Check if Vulnerable:

Check if running Batflat version 1.3.6 by examining version files or admin panel footer.

Check Version:

grep -r 'version' /path/to/batflat/ or check admin panel interface

Verify Fix Applied:

Test user profile editing functionality with malicious input to ensure proper sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user profile modifications
  • Suspicious POST requests to user editing endpoints
  • Execution of system commands in web logs

Network Indicators:

  • Unexpected outbound connections from web server
  • Shell command patterns in HTTP requests

SIEM Query:

source="web_logs" AND (uri="/admin/users/edit" OR uri="/admin/users/save") AND (payload CONTAINS "system(" OR payload CONTAINS "exec(" OR payload CONTAINS "shell_exec(")

📊 Metadata

CVE ID: CVE-2020-35734
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: February 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35734, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)