PT-2021-15557 · Flatcore · Flatcore

Published

2021-01-15

Updated

2021-01-22

CVE-2021-23836

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: flatCore versions prior to 2.0.0 build 139

Description: A stored XSS issue was identified in the prefs smtp psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page.

Recommendations: For versions prior to 2.0.0 build 139, consider disabling the prefs smtp psw parameter in the acp interface until a patch is available. Restrict access to the acp interface to minimize the risk of exploitation. Avoid using the prefs smtp psw parameter in the affected HTTP request body until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-23836

Affected Products

Flatcore

PT-2021-15557 · Flatcore · Flatcore

CVE-2021-23836

Weakness Enumeration

Related Identifiers

Affected Products

References · 8