Stored XSS through post comment body in flatpressblog/flatpress

Valid

Reported on

Jan 1st 2023


Description

The body of the comment is vulnerable to Stored XSS

Proof of Concept

  • Create a post
  • Comment on it, and insert <script>alert(document.domain)</script> in the body

image

image

Impact

JavaScript code can be executed on the user end without any interaction.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago
Arvid Zimmermann validated this vulnerability a year ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Arvid Zimmermann marked this as fixed in 1.3 with commit 264217 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation