Vulnerabilities > Flatcore
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-15 | CVE-2021-23837 | SQL Injection vulnerability in Flatcore An issue was discovered in flatCore before 2.0.0 build 139. | 6.5 |
| 2021-01-15 | CVE-2021-23836 | Cross-site Scripting vulnerability in Flatcore An issue was discovered in flatCore before 2.0.0 build 139. | 4.8 |
| 2021-01-15 | CVE-2021-23835 | Improper Input Validation vulnerability in Flatcore An issue was discovered in flatCore before 2.0.0 build 139. | 4.9 |
| 2020-08-09 | CVE-2020-17452 | Unrestricted Upload of File with Dangerous Type vulnerability in Flatcore flatCore before 1.5.7 allows upload and execution of a .php file by an admin. | 7.2 |
| 2020-08-09 | CVE-2020-17451 | Cross-site Scripting vulnerability in Flatcore flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter. | 4.8 |
| 2019-07-18 | CVE-2019-13961 | Cross-Site Request Forgery (CSRF) vulnerability in Flatcore A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php. | 8.8 |
| 2019-03-30 | CVE-2019-10652 | Unrestricted Upload of File with Dangerous Type vulnerability in Flatcore 1.4.7 An issue was discovered in flatCore 1.4.7. | 7.2 |
| 2018-01-10 | CVE-2017-1000428 | Cross-site Scripting vulnerability in Flatcore Flatcore-Cms 1.4.6 flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-Agent string. | 6.1 |
| 2017-06-06 | CVE-2017-9451 | Cross-site Scripting vulnerability in Flatcore 1.4.6 Cross site scripting (XSS) vulnerability in pages.edit_form.php in flatCore 1.4.6 allows remote attackers to inject arbitrary JavaScript via the PATH_INFO in an acp.php URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs. | 6.1 |
| 2017-05-10 | CVE-2017-8868 | Path Traversal vulnerability in Flatcore Flatcore-Cms 1.4.7 acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via directory traversal in the delete parameter to acp/acp.php. | 7.5 |