Stored XSS via title, subtitle, footer and post title and content in flatpressblog/flatpress

Valid

Reported on

Dec 26th 2022


Description

The site is vulnerable to Stored XSS via Blog title, Blog subtitle and Blog footer.

Proof of Concept

  • Login as Admin
  • Go to Administration Area -> Option

Set n the 3 fields a payload like this:

<script>alert(document.domain)</script>

image

Now go to the blog, and you'll see that 3 payloads actually fires:

image

Also the title and body content of the entry is vulnerable, I'll set it as second occurrence.

Impact

JavaScript code can be executed on the user end without any interaction.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. 4 months ago
leorac modified the report
4 months ago
leorac modified the report
4 months ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back 4 months ago
flatpressblog/flatpress maintainer validated this vulnerability 4 months ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 3a32aa 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 1st 2023
admin.config.php#L56 has been validated
leorac
4 months ago

Researcher


@admin so what about the cve?

Pavlos
4 months ago

Admin


It'll be published on the 1st of March 2023 (see above schedule)

flatpressblog/flatpress maintainer published this vulnerability 2 months ago
to join this conversation