Improper Restriction of Rendered UI Layers or Frames in flatcore/flatcore-cms
Oct 11th 2021
Attackers can trick admin users into performing actions because there is no X-Frame-Options: DENY header set by the application.
This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into deletion of data.. etc)
Proof of Concept
This vulnerability is capable of tricking the admin user into deletion of data.
Add the X-Frame-Options: DENY header.