Headline
CVE-2021-41402: Code execution vulnerabilities in the background · Issue #59 · flatCore/flatCore-CMS
flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code.
Describe the bug
Code execution vulnerabilities in the background
To Reproduce
Steps to reproduce the behavior:
1.Log in to the background
2.Go to /acp/acp.php?tn=pages&sub=new#position
3.Click info and enter the malicious php code in the Permalink parameter to jump out of the structure to execute the malicious code
4.Click save
5./content/cache/active_urls.php and /content/cache/cache_lastedit.php files will be inserted with malicious code
6.Visit the homepage and you will see that the malicious code we inserted was successfully executed and returned the result
Screenshots
Click Save New Page
/content/cache/active_urls.php and /content/cache/cache_lastedit.php files will be inserted with malicious code
Desktop (please complete the following information):
- OS: MacOS
- Browser All
- Version Last version