oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Stored XSS vulnerability in BlogoText <= 3.7.5

From: chbi () chbi eu
Date: Sun, 1 Oct 2017 09:25:07 +0200

Hi,

I've discovered a security issue in BlogoText <= 3.7.5
(https://github.com/BlogoText/blogotext/)


A Stored XSS vulnerability via comment allows an unauthenticated
attacker to inject JavaScript. If it is triggered as administrator an
attacker can for example, change global settings or create/delete posts.
It is also possible to execute JavaScript against unauthenticated users
of the blog.

Fix:
https://github.com/BlogoText/blogotext/pull/320/commits/1a283cc8ad2cda37e0a6aff8f4558b98ecbfd9c2


The issue is fixed in BlogoText 3.7.6.

https://github.com/BlogoText/blogotext/releases/tag/3.7.6


I've requested a CVE ID (MITRE).

-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: