Login Sign Up

CVE-2021-39608

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary PHP code on FlatCore-CMS 2.0.7 systems via the upload addon plugin. Attackers can achieve full system compromise by uploading malicious files. All systems running the vulnerable version with the upload addon enabled are affected.

💻 Affected Systems

Products:
  • FlatCore-CMS
Versions: 2.0.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires upload addon plugin to be enabled/installed.

📦 What is this software?

Flatcore Cms by Flatcore

View all CVEs affecting Flatcore Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full administrative control, data theft, website defacement, and potential lateral movement to other systems.

🟠

Likely Case

Website defacement, malware deployment, credential theft, and backdoor installation for persistent access.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls blocking malicious uploads.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on Packet Storm Security. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.8 or later

Vendor Advisory: https://github.com/flatCore/flatCore-CMS/issues/52

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download latest version from official repository. 3. Replace vulnerable files with patched version. 4. Verify upload functionality still works correctly.

🔧 Temporary Workarounds

Disable Upload Addon

linux

Temporarily disable the vulnerable upload addon plugin

mv /path/to/flatcore/addons/upload /path/to/flatcore/addons/upload.disabled

Restrict File Upload Types

all

Configure web server to block PHP file uploads

Add to .htaccess: <FilesMatch "\.(php|php5|php7|phtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

  • Implement strict file upload validation (allow only specific extensions like .jpg, .png)
  • Deploy web application firewall with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running FlatCore-CMS version 2.0.7 with upload addon enabled

Check Version:

Check /core/version.php or admin panel version display

Verify Fix Applied:

Verify version is 2.0.8 or higher and test upload functionality with malicious files

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to upload directory
  • PHP file uploads with suspicious names
  • Multiple failed upload attempts

Network Indicators:

  • HTTP POST requests to upload endpoints with PHP files
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri_path="/addons/upload/" OR uri_path="/upload/") AND (file_extension="php" OR file_extension="php5" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2021-39608
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: August 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39608, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)