oss-sec mailing list archives
Stored XSS vulnerability in BlogoText <= 3.7.5
From: chbi () chbi eu
Date: Sun, 1 Oct 2017 09:25:07 +0200
Hi, I've discovered a security issue in BlogoText <= 3.7.5 (https://github.com/BlogoText/blogotext/) A Stored XSS vulnerability via comment allows an unauthenticated attacker to inject JavaScript. If it is triggered as administrator an attacker can for example, change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog. Fix: https://github.com/BlogoText/blogotext/pull/320/commits/1a283cc8ad2cda37e0a6aff8f4558b98ecbfd9c2 The issue is fixed in BlogoText 3.7.6. https://github.com/BlogoText/blogotext/releases/tag/3.7.6 I've requested a CVE ID (MITRE). -- chbi https://chbi.eu GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E https://chbi.eu/chbi.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Stored XSS vulnerability in BlogoText <= 3.7.5 chbi (Oct 01)
- Re: Stored XSS vulnerability in BlogoText <= 3.7.5 chbi (Oct 01)
- Re: Stored XSS vulnerability in BlogoText <= 3.7.5 chbi (Oct 09)
- Re: Stored XSS vulnerability in BlogoText <= 3.7.5 chbi (Oct 01)