CVE-2021-23835

CVE-2021-23835 affects flatCore prior to 2.0.0 build 139. The issue is a local file disclosure in the docs_file HTTP request body parameter of the acp interface, which accepts malicious user input and can reveal sensitive backend files (e.g., /etc/passwd, SQLite DBs, PHP source) when an attacker ...

CVE-2019-13961

CVE-2019-13961 affects flatCore prior to version 1.5. The vulnerability is a CSRF flaw in the web app that enables uploading arbitrary .php files via acp/core/files.upload-script.php, potentially letting an attacker place executable PHP on the server. Multiple connected sources document this CSRF...

CVE-2021-23838

The CVE-2021-23838 issue affects flatCore CMS prior to 2.0.0 build 139. A reflected XSS vulnerability exists in the media_filter HTTP request body parameter for the acp interface, where unsanitized input can inject client-side scripts. This can enable cookie theft and session hijacking, potential...

CVE-2021-23837

CVE-2021-23837 affects flatCore prior to 2.0.0 build 139. A time-based blind SQL injection is present in the selected_folder HTTP request body parameter for the acp interface, where input is not properly sanitized, enabling retrieval of database information. Public details consistently identify t...

CVE-2021-23836

The CVE-2021-23836 entry concerns flatCore before 2.0.0 build 139, with a stored XSS in the prefs_smtp_psw parameter of the acp interface. An admin can inject client-side script that executes in a user’s browser when visiting the affected module page. The vulnerability is concrete across multiple...

CVE-2020-17451

CVE-2020-17451 affects flatCore before 1.5.7. The issue is a reflected XSS vulnerability exploitable by an admin via acp/acp.php?tn=pages&sub=edit&editpage=1 (parameters: page_linkname, page_title, page_content, page_extracontent) or acp/acp.php?tn=system&sub=sys_pref (prefs_pagename, prefs_paget...

CVE-2020-17452

The CVE-2020-17452 entry concerns flatCore CMS (PHP/SQLite) prior to version 1.5.7, where an unrestricted file upload vulnerability allows an admin to upload and execute a PHP file. The root cause is an unrestricted file upload flaw enabling remote code execution; impact details in sources indica...

CVE-2019-10652

FlatCore vulnerable component: acp/acp.php in version 1.4.7. The issue allows remote authenticated administrators to upload arbitrary PHP files via the addons/upload mechanism, enabling potential remote code execution as indicated by described exploit activity in multiple sources (e.g., exploit-d...

CVE-2017-9451

CVE-2017-9451 corresponds to a cross-site scripting (XSS) vulnerability in flatCore 1.4.6, affecting pages.edit_form.php. The issue arises from using unsanitized $_SERVER['PHP_SELF'] to generate URLs, allowing remote attackers to inject arbitrary JavaScript via the PATH_INFO in an acp.php URL. Th...

CVE-2021-40555

CVE-2021-40555 is an XSS vulnerability in flatCore-CMS 2.2.15, allowing an attacker to execute arbitrary code via the description field on the new page creation form. Document set confirms the affected software and the vulnerable component (description field handling on page creation). Exploit de...