CVE-2017-9451

Name of the Vulnerable Software and Affected Versions flatCore version 1.4.6

Description The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary JavaScript code via the PATH INFO in an acp.php URL. This is due to the use of unsanitized $ SERVER['PHP SELF'] to generate URLs.

Recommendations For flatCore version 1.4.6, consider sanitizing the $ SERVER['PHP SELF'] variable to prevent the injection of malicious JavaScript code. As a temporary workaround, restrict access to the acp.php URL to minimize the risk of exploitation.