First published: Fri Jan 15 2021(Updated: )
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Flatcore Flatcore | <=2.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-23836 is a stored XSS vulnerability discovered in flatCore CMS before version 2.0.0 build 139.
CVE-2021-23836 has a severity rating of 4.8, which is considered medium.
Versions up to and including 2.0.0 of flatCore CMS are affected by CVE-2021-23836.
An admin user can inject malicious client-side script into the prefs_smtp_psw parameter in the HTTP request body for the acp interface.
It is recommended to update flatCore CMS to version 2.0.0 build 139 or later to fix the stored XSS vulnerability.