CVE-2020-17451

Name of the Vulnerable Software and Affected Versions flatCore versions prior to 1.5.7

Description The issue allows for XSS by an admin via specific parameters in the "acp/acp.php" endpoint, including page linkname, page title, page content, or page extracontent when editing a page, or prefs pagename, prefs pagetitle, or prefs pagesubtitle when setting system preferences.

Recommendations For versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "acp/acp.php" endpoint, specifically the tn=pages&sub=edit and tn=system&sub=sys pref sections, to minimize the risk of exploitation. Avoid using the vulnerable parameters page linkname, page title, page content, page extracontent, prefs pagename, prefs pagetitle, or prefs pagesubtitle in the affected API endpoint until the issue is resolved.