CVE-2019-10652 in flatCore
Summary
by MITRE
An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/23/2025
The vulnerability identified as CVE-2019-10652 represents a critical file upload flaw within the flatCore content management system version 1.4.7. This issue specifically affects the administrative control panel component known as acp/acp.php which handles the addons functionality. The flaw arises from insufficient input validation and access control measures that permit authenticated administrative users to bypass normal file upload restrictions and execute arbitrary php code on the target system. This vulnerability operates under the weakness category of CWE-434 which describes insecure file upload handling, where the system fails to properly validate file types and content before allowing uploads.
The technical exploitation of this vulnerability requires an attacker to first obtain valid administrative credentials, which then grants them access to the administrative control panel interface. Once authenticated, the attacker can navigate to the addons upload feature within acp/acp.php and submit malicious php files without proper validation. The system does not adequately verify file extensions, content type headers, or file contents before storing and processing uploaded files. This lack of proper sanitization creates a path for remote code execution where attackers can deploy web shells, backdoors, or other malicious payloads that persist on the server. The vulnerability directly enables arbitrary code execution through the web server's interpretation of php files, making it particularly dangerous for web applications that execute uploaded content.
The operational impact of this vulnerability is severe and multifaceted across multiple attack vectors. An attacker who successfully exploits this flaw gains persistent access to the compromised system and can establish a foothold for further lateral movement within the network infrastructure. The vulnerability allows for complete system compromise through web shell deployment, data exfiltration, and potential privilege escalation. Organizations using flatCore 1.4.7 face significant risk of unauthorized access, data breaches, and system infiltration. The attack surface extends beyond immediate code execution to include potential denial of service conditions, data corruption, and long-term persistence mechanisms that can evade traditional security monitoring. This vulnerability also falls under the ATT&CK framework category of T1059 for command and scripting interpreter and T1505 for server-side injection, representing both execution and persistence tactics.
Mitigation strategies for CVE-2019-10652 require immediate action to address the root cause of the vulnerability. Organizations should implement immediate patching of flatCore to version 1.4.8 or later where the file upload validation has been corrected. In the interim, administrators should restrict file upload permissions to the minimal necessary scope and implement strict file type validation with whitelisting approaches. The system should enforce proper content type checking and reject any files with php extensions or executable content. Network segmentation and monitoring should be enhanced to detect suspicious file upload activities and unusual php file execution patterns. Access control measures should be strengthened through multi-factor authentication and principle of least privilege enforcement for administrative accounts. Additionally, regular security audits should be conducted to identify and remediate similar vulnerabilities in other web applications and CMS platforms. The remediation process should also include disabling unnecessary administrative features and implementing web application firewalls to detect and block malicious upload attempts.