Improper Restriction of Rendered UI Layers or Frames in flatcore/flatcore-cms


Reported on

Oct 11th 2021


Attackers can trick admin users into performing actions because there is no X-Frame-Options: DENY header set by the application.

This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into deletion of data.. etc)

Proof of Concept

<iframe src="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts">


This vulnerability is capable of tricking the admin user into deletion of data.

Recommended Fix

Add the X-Frame-Options: DENY header.

2 years ago


@haxatron it is secure enough to use X-Frame-Options: SAMEORIGIN If I use DENY, the preview (in the backend) no longer works.

2 years ago


yes that works too!

Patrick validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


Thank you!

Patrick marked this as fixed with commit e1496f 2 years ago
Patrick has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation