Local File Inclusion Vulnerability in SearchBlox FileServlet Allows Unauthorized File Access

Local File Inclusion Vulnerability in SearchBlox FileServlet Allows Unauthorized File Access

CVE-2020-35580 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.

Learn more about our Web App Pen Testing.