Pierquinto Manco

**Name of the Vulnerable Software and Affected Versions** FlatNuke version 2.5.1 **Description** The issue allows remote attackers to create an administrator account by exploiting a flaw in the `url avatar` field of the `index.php` file. This is achieved by using carriage returns and line feeds (`#10`) in the field, which are then interpreted as a sensitive directive. **Recommendations** For FlatNuke version 2.5.1, consider restricting access to the `index.php` file until a patch is available, and avoid using the `url avatar` field in a way that could be exploited by attackers. As a temporary workaround, restrict the ability to create new administrator accounts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FlatNuke version 2.5.1 **Description** A code injection issue allows remote attackers to execute arbitrary PHP code by injecting it into the `url avatar` field. **Recommendations** For FlatNuke version 2.5.1, consider restricting access to the `url avatar` field to prevent code injection until a patch is available.