flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-Agent string.
6.1CVSS
5.9AI Score
0.001EPSS
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
8.8CVSS
8.6AI Score
0.006EPSS
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.
9.8CVSS
9.7AI Score
0.001EPSS
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.
7.5CVSS
7.8AI Score
0.001EPSS
acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via directory traversal in the delete parameter to acp/acp.php. The risk might be limited to requests submitted through CSRF.
7.5CVSS
7.4AI Score
0.001EPSS
6.6CVSS
6.4AI Score
0.001EPSS
Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code.
7.2CVSS
7.2AI Score
0.033EPSS
Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.
5.4CVSS
5.3AI Score
0.001EPSS
flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) in the "Create New Page" option through the index page.
5.4CVSS
5.3AI Score
0.001EPSS
flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code.
8.8CVSS
9AI Score
0.001EPSS
flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities.
9.8CVSS
9.5AI Score
0.002EPSS
FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tags and content sections.
6.1CVSS
5.9AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in flatCore-CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username text field.
6.1CVSS
5.8AI Score
0.001EPSS