FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message.
Threat-Mapped Scoring
Score: 3.1
Priority: P2 - Serious (High)
S1 – Steal Customer Account Information
S10 – Denial of Service (+0.1 bonus)
EPSS
Score: 0.01029Percentile:
0.76373
CVSS Scoring
CVSS v2 Score: 6.4
Severity:
Mapped CWE(s)
CWE-425
: Direct Request ('Forced Browsing')
All CAPEC(s)
CAPEC-127 : Directory Indexing
CAPEC-143 : Detect Unpublicized Web Pages
CAPEC-144 : Detect Unpublicized Web Services
CAPEC-668 : Key Negotiation of Bluetooth Attack (KNOB)
CAPEC-87 : Forceful Browsing
CAPEC(s) with Mapped TTPs
CAPEC-127 : Directory Indexing
Mapped TTPs:
T1083
: File and Directory Discovery
CAPEC-668 : Key Negotiation of Bluetooth Attack (KNOB)
Mapped TTPs:
Mapped ATT&CK TTPs
T1083
: File and Directory Discovery
Kill Chain: discovery
T1565.002
: Transmitted Data Manipulation
Kill Chain: impact
Malware
APTs Threat Group Associations
Campaigns
Operation Wocao SolarWinds Compromise Operation CuckooBees Operation Honeybee Operation Dream Job C0015 Night Dragon KV Botnet Activity
Affected Products
cpe:2.3:a:flatnuke:flatnuke:*:*:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me