Flatcore · Flatcore · CVE-2020-17451
**Name of the Vulnerable Software and Affected Versions**
flatCore versions prior to 1.5.7
**Description**
The issue allows for XSS by an admin via specific parameters in the "acp/acp.php" endpoint, including `page linkname`, `page title`, `page content`, or `page extracontent` when editing a page, or `prefs pagename`, `prefs pagetitle`, or `prefs pagesubtitle` when setting system preferences.
**Recommendations**
For versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "acp/acp.php" endpoint, specifically the `tn=pages&sub=edit` and `tn=system&sub=sys pref` sections, to minimize the risk of exploitation. Avoid using the vulnerable parameters `page linkname`, `page title`, `page content`, `page extracontent`, `prefs pagename`, `prefs pagetitle`, or `prefs pagesubtitle` in the affected API endpoint until the issue is resolved.