Description:
Cross-site scripting (XSS) vulnerabilities arise when an attacker sends malicious code to the
victim's browser, mostly using JavaScript. A vulnerable web application might embed untrusted
data in the output, without filtering or encoding it. In this way, an attacker can inject a malicious
script into the application, and the script will be returned in the response. This will then run on the
victim's browser.
It is observed that the page parameter does not sanitize input properly which leads to reflected XSS
attacks.
Technical Impact:
It is possible to steal or manipulate customer sessions and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter the blog.
Suggested Remediation:
Application should encode data on output.
Application should filter input on page parameters.
Severity: Medium
Description: Cross-site scripting (XSS) vulnerabilities arise when an attacker sends malicious code to the victim's browser, mostly using JavaScript. A vulnerable web application might embed untrusted data in the output, without filtering or encoding it. In this way, an attacker can inject a malicious script into the application, and the script will be returned in the response. This will then run on the victim's browser. It is observed that the page parameter does not sanitize input properly which leads to reflected XSS attacks.
Technical Impact: It is possible to steal or manipulate customer sessions and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter the blog.
Suggested Remediation:
Steps to Reproduce:
Login to the application
Entre the below payload in the URL and observe XSS payload getting executed. Payload: http://server/flatpress/admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.cookie%29%22autofocus%3d%22zr4da
Opening issue here, Got no reply from [hello@flatpress.org] for 2 months