📄 FlatPress 1.0.2 Cross Site Scripting

FlatPress 1.0.2 - Cross-site Scripting
    Advisory ID: RO-14-011
    Severity: Critical
    Vendor: FlatPress
    Product: FlatPress
    Version: 1.0.2
    
    
    Overview #
    
    Cross-site Scripting (XSS) vulnerabilities exist in FlatPress version 1.0.2. FlatPress is a blogging engine that saves posts as simple text files.
    
    
    Vulnerability Details #
    
    Affected Versions: 1.0.2 and earlier
    
    Root Cause: Insufficient input validation in the content parameter allows XSS attacks.
    Technical Details #
    
    POST /?x=entry:entry131123-000300 HTTP/1.1
    
    content=</textarea><script>alert(9)</script>
    
    
    
    Exploitation Requirements #
    
        Authentication may be required
        Victim must view the malicious content
    
    Impact #
    
    Remote attackers can exploit these vulnerabilities to:
    
        Steal user session cookies
        Perform actions on behalf of users
        Persistently inject malicious content
    
    
    
    Solution #
    
    Update to a patched version. See GitHub Issue #14.
    
    
    References #
    
        Invicti Advisory NS-14-015
    
    Timeline:
    
        [2014-03-04] - First Contact
        [2014-03-05] - Vendor Fixed
        [2014-04-08] - Advisory Released
    
    Credits: Omar Kurt