Back to KEVs

CVE-2020-35580

A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files...

Basic Information

CVE State: PUBLISHED
Reserved Date: December 20, 2020
Published Date: May 20, 2021
Last Updated: August 04, 2024
Vendor: SearchBlox
Product: SearchBlox
Description: A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
Tags

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Score

Score: 76.78% (Percentile: 98.89%) as of 2025-07-29

Exploit Status

Exploited in the Wild: Yes (2025-07-14 00:00:00 UTC) Source

References

https://developer.searchblox.com/docs/getting-started-with-searchblox https://hateshape.github.io/general/2021/05/11/CVE-2020-35580.html

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-07-15 12:00:15 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-35580.yaml	2025-04-26 00:00:00 UTC

Timeline

CVE ID Reserved

December 20, 2020
CVE Published to Public

May 20, 2021
Detected by Nuclei

April 26, 2025
Added to KEVIntel

July 15, 2025