Vulnerability Details CVE-2020-35580
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.768
EPSS Ranking 98.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2020-35580
-
cpe:2.3:a:searchblox:searchblox:-
-
cpe:2.3:a:searchblox:searchblox:6.2
-
cpe:2.3:a:searchblox:searchblox:6.3
-
cpe:2.3:a:searchblox:searchblox:6.4
-
cpe:2.3:a:searchblox:searchblox:7.0
-
cpe:2.3:a:searchblox:searchblox:7.1
-
cpe:2.3:a:searchblox:searchblox:7.2
-
cpe:2.3:a:searchblox:searchblox:7.3
-
cpe:2.3:a:searchblox:searchblox:7.4
-
cpe:2.3:a:searchblox:searchblox:7.5
-
cpe:2.3:a:searchblox:searchblox:8.1
-
cpe:2.3:a:searchblox:searchblox:8.2
-
cpe:2.3:a:searchblox:searchblox:8.3.0
-
cpe:2.3:a:searchblox:searchblox:8.6.6
-
cpe:2.3:a:searchblox:searchblox:8.6.7
-
cpe:2.3:a:searchblox:searchblox:8.6.8
-
cpe:2.3:a:searchblox:searchblox:8.6.9
-
cpe:2.3:a:searchblox:searchblox:9.0
-
cpe:2.3:a:searchblox:searchblox:9.1
-
cpe:2.3:a:searchblox:searchblox:9.2
-
cpe:2.3:a:searchblox:searchblox:9.2.1