13 matches found
CVE-2021-39608
FlatCore-CMS 2.0.7 is vulnerable to remote code execution via the upload addon plugin, allowing a remote attacker to execute arbitrary PHP code. Public material across multiple feeds (NVD, RH/CVE, CNVD, OSV, CNVD) confirms RCE through the addon upload path. An exploit script exists publicly (Expl...
CVE-2021-42245
FlatCore-CMS 2.0.9 is affected by a cross-site scripting (XSS) vulnerability in pages.edit.php triggered via meta tags and content sections. Root cause is insecure handling of user-supplied metadata/content in that page, enabling injection of JavaScript. Reported impacts in public sources include...
CVE-2021-40902
flatCore-CMS v2.0.8 contains a Cross-Site Scripting (XSS) vulnerability in the Create New Page option on the index page. The root cause cited in CNVD/CNNVD entries is insufficient input/output data filtering (lack of checksum filtering of user-supplied data), enabling an attacker to trigger JavaS...
CVE-2021-41402
The CVE-2021-41402 entry maps to the same issue across multiple sources: flatCore-CMS v2.0.8 contains a code execution vulnerability. CNNVD details indicate the root cause is a lack of data filtering and escaping in specific cache-related PHP scripts (/content/cache/active_urls.php and /content/c...
CVE-2021-39609
CVE-2021-39609 concerns FlatCore-CMS 2.0.7, where a Cross-Site Scripting (XSS) vulnerability exists via the Upload Image feature. Multiple sources (NVD, CNVD/CNNVD, CVE listings) corroborate that this is an XSS in flatCore’s CMS handling of image uploads. The connected documents do not provide co...
CVE-2021-41403
CVE-2021-41403 affects flatCore-CMS 2.0.8, where a call to a dangerous function enables server-side request forgery (SSRF). Multiple connected sources corroborate SSRF risk in flatCore-CMS 2.0.8, with the NVD listing high/critical impact across CVSS 2.0 and 3.1 metrics. The root cause is describe...
CVE-2022-43118
Summary: CVE-2022-43118 is a cross-site scripting (XSS) vulnerability in flatCore-CMS v2.1.0 that allows an attacker to inject arbitrary web scripts or HTML via the Username field. Affected product (from provided documents): flatCore-CMS, version 2.1.0. Technical details (as stated): The vulnerab...
CVE-2021-3745
CVE-2021-3745 affects flatcore-cms and stems from an unrestricted file upload in the gallery upload path (files.upload_gallery.php). The provided PoC demonstrates uploading a PHP payload and then requesting the generated file to obtain a shell, indicating potential remote code execution with admi...
CVE-2017-7878
CVE-2017-7878 describes a SQL injection vulnerability in flatCore version 1.4.6 that allows an attacker to read and write to the users database. The connected records corroborate the vulnerability across multiple sources (including Red Hat, CNVD, osv, and CVE lists), all stating the same flaw in ...
CVE-2017-7877
CVE-2017-7877 affects flatCore 1.4.6 and is a CSRF vulnerability that allows remote attackers to modify CMS configurations. Public descriptions across NVD/CNVD/OSV lists confirm CSRF as the issue; CVSS v3.0 base score 8.8 (HIGH) with network attack, low attack complexity, no authentication, and u...
CVE-2017-1000428
FlatCore-CMS 1.4.6 is vulnerable to both reflected and stored XSS. The reflected XSS occurs in user_management.php via $_SERVER['PHP_SELF'] when building links, and a stored XSS is present in the admin log panel through a malformed User-Agent string. The CVE description and multiple connected rec...
CVE-2017-7879
CVE-2017-7879 affects flatCore CMS (version 1.4.6). It is a SQL injection vulnerability that could allow an attacker to read the content database. The provided connected documents corroborate the vulnerability across multiple databases (Red Hat, CNVD, OSV, NVD, CVE lists). There is no explicit re...
CVE-2017-8868
The CVE-2017-8868 vulnerability affects flatCore 1.4.7, where acp/core/files.browser.php enables deletion of files via directory traversal in the delete parameter to acp/acp.php. The underlying issue is a directory-traversal flaw that can impact files reachable through that parameter. The NVD ent...