Stored XSS through post comment body in flatpressblog/flatpress

Valid

Reported on

Jan 1st 2023


Description

The body of the comment is vulnerable to Stored XSS

Proof of Concept

  • Create a post
  • Comment on it, and insert <script>alert(document.domain)</script> in the body

image

image

Impact

JavaScript code can be executed on the user end without any interaction.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. 4 months ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back 4 months ago
Arvid Zimmermann validated this vulnerability 4 months ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Arvid Zimmermann marked this as fixed in 1.3 with commit 264217 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 1st 2023
Arvid Zimmermann published this vulnerability 2 months ago
to join this conversation