CVE-2022-40048: 
FlatPress vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability was discovered in Flatpress version 1.2.1, specifically affecting the Upload File function. The vulnerability was identified and reported on September 27, 2022, with CVE-2022-40048 being assigned on September 6, 2022 (CVE Details, NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 base score is 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating a high-severity vulnerability that requires high privileges but no user interaction for exploitation (NVD).

The vulnerability allows a privileged attacker to gain access to the server through the file upload functionality. The download functionality is not properly sandboxed and lacks adequate security controls, which can be exploited by uploading dangerous file types (GitHub Issue).

The recommended mitigation strategies include restricting accepted file types, implementing proper file extension checks, and implementing file renaming using random names or hashes after upload (GitHub Issue).

The vulnerability was initially reported to the vendor at hello@flatpress.org but received no response for two months before being publicly disclosed on GitHub (GitHub Issue).