CVE-2021-23835

Name of the Vulnerable Software and Affected Versions: flatCore versions prior to 2.0.0 build 139

Description: A local file disclosure issue was identified in the docs file HTTP request body parameter for the acp interface. This can be exploited with admin access rights, allowing retrieval of backend server sensitive files, such as /etc/passwd, SQLite database files, and PHP source code, due to the affected parameter accepting malicious user input without proper sanitization.

Recommendations: For versions prior to 2.0.0 build 139, consider disabling the docs file parameter in the acp interface until a patch is available to prevent exploitation. Restrict access to the acp interface to minimize the risk of sensitive file disclosure. Avoid using the docs file parameter in the affected HTTP request body until the issue is resolved.