Flatcore Flatcore-Cms vulnerabilities
13 known vulnerabilities affecting flatcore/flatcore-cms.
Total CVEs
13
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2021-39608P2HIGHCVSS 7.2PoCv2.0.72021-08-23
CVE-2021-39608 [HIGH] CWE-434 CVE-2021-39608: Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, w
Remote Code Execution (RCE) vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code.
nvd
CVE-2021-41403P2CRITICALCVSS 9.8v2.0.82022-06-15
CVE-2021-41403 [CRITICAL] CWE-918 CVE-2021-41403: flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabil
flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities.
nvd
CVE-2021-41402P3HIGHCVSS 8.8v2.0.82022-06-16
CVE-2021-41402 [HIGH] CWE-94 CVE-2021-41402: flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user exec
flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code.
nvd
CVE-2017-7878P3CRITICALCVSS 9.8v1.4.62017-04-14
CVE-2017-7878 [CRITICAL] CWE-89 CVE-2017-7878: SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the us
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.
nvd
CVE-2017-7879P3HIGHCVSS 7.5v1.4.62017-04-14
CVE-2017-7879 [HIGH] CWE-89 CVE-2017-7879: SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content databas
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.
nvd
CVE-2017-8868P3HIGHCVSS 7.5v1.4.72017-05-10
CVE-2017-8868 [HIGH] CWE-22 CVE-2017-8868: acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via directory traversal in the del
acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via directory traversal in the delete parameter to acp/acp.php. The risk might be limited to requests submitted through CSRF.
nvd
CVE-2017-7877P3HIGHCVSS 8.8v1.4.62017-04-14
CVE-2017-7877 [HIGH] CWE-352 CVE-2017-7877: CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
nvd
CVE-2021-3745P4MEDIUMCVSS 6.6fixed in 2.1.02021-10-28
CVE-2021-3745 [MEDIUM] CWE-434 CVE-2021-3745: flatcore-cms is vulnerable to Unrestricted Upload of File with Dangerous Type
flatcore-cms is vulnerable to Unrestricted Upload of File with Dangerous Type
nvd
CVE-2021-39609P4MEDIUMCVSS 5.4v2.0.72021-08-23
CVE-2021-39609 [MEDIUM] CWE-79 CVE-2021-39609: Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.
Cross Site Scripting (XSS) vulnerability exiss in FlatCore-CMS 2.0.7 via the upload image function.
nvd
CVE-2017-1000428P4MEDIUMCVSS 6.1v1.4.62018-01-10
CVE-2017-1000428 [MEDIUM] CWE-79 CVE-2017-1000428: flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER[
flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-Agent string.
nvd
CVE-2021-42245P4MEDIUMCVSS 6.1v2.0.92022-06-06
CVE-2021-42245 [MEDIUM] CWE-79 CVE-2021-42245: FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tag
FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tags and content sections.
nvd
CVE-2022-43118P4MEDIUMCVSS 6.1v2.1.02022-11-09
CVE-2022-43118 [MEDIUM] CWE-79 CVE-2022-43118: A cross-site scripting (XSS) vulnerability in flatCore-CMS v2.1.0 allows attackers to execute arbitr
A cross-site scripting (XSS) vulnerability in flatCore-CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username text field.
nvd
CVE-2021-40902P4MEDIUMCVSS 5.4v2.0.82022-06-13
CVE-2021-40902 [MEDIUM] CWE-79 CVE-2021-40902: flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) in the "Create New Page" option
flatCore-CMS version 2.0.8 is affected by Cross Site Scripting (XSS) in the "Create New Page" option through the index page.
nvd