2017-06-06 16:00:00
mitre
PUBLISHED
Cross site scripting (XSS) vulnerability in pages.edit_form.php in flatCore 1.4.6 allows remote attackers to inject arbitrary JavaScript via the PATH_INFO in an acp.php URL, due to use of unsanitized $_SERVER[PHP_SELF] to generate URLs.