Cross-Site Scripting Vulnerability in FlatPress by FlatPress
CVE-2020-35241

4.8MEDIUM

Key Information:

Vendor: Flatpress
Status: Flatpress
Vendor: CVE Published:; 30 December 2020

Summary

FlatPress version 1.0.3 is vulnerable to a cross-site scripting (XSS) attack in its Blog Content component. This flaw permits an attacker to inject malicious scripts via the admin panel's blog content feature. When any user accesses the affected blog page, the injected XSS payload is executed, potentially allowing attackers to hijack user sessions by stealing cookies, thus posing significant security risks to users interacting with the blog.

References

https://www.flatpress.org/download

https://github.com/hemantsolo/CVE-Reference/blob/main/CVE...

https://github.com/alpernae/vulnerability-research/tree/m...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 30, 2020
Vulnerability Reserved
Dec 14, 2020