CVE-2017-1000428

Name of the Vulnerable Software and Affected Versions flatCore-CMS version 1.4.6

Description The issue concerns reflected XSS in the user management.php file due to the use of $ SERVER['PHP SELF'] to build links. Additionally, there is a stored XSS vulnerability in the admin log panel, which can be exploited by specifying a malformed User-Agent string, such as User-Agent.

Recommendations For flatCore-CMS version 1.4.6, consider updating the user management.php file to properly sanitize the $ SERVER['PHP SELF'] variable and restrict the use of malformed User-Agent strings in the admin log panel to minimize the risk of exploitation. As a temporary workaround, restrict access to the user management.php file and the admin log panel until a patch is available.