N/A

An issue was discovered in flatCore before 2.0.0 build 139. A local file disclosure vulnerability was identified in the docs_file HTTP request body parameter for the acp interface. This can be exploited with admin access rights. The affected parameter (which retrieves the contents of the specified file) was found to be accepting malicious user input without proper sanitization, thus leading to retrieval of backend server sensitive files, e.g., /etc/passwd, SQLite database files, PHP source code, etc.

N/A

N/A

flatCore 输入验证错误漏洞

flatCore是一套基于PHP和SQLite的轻量级内容管理系统（CMS）。 flatCore CMS 2.0.0 build 139版本之前存在输入验证错误漏洞，该漏洞源于在程序的"docs_file"中发现了本地文件泄露漏洞"acp"接口的HTTP请求主体参数。攻击者可利用该漏洞获取敏感信息。

N/A

N/A