4 matches found
CVE-2025-55737
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...
CVE-2025-55736
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...
CVE-2025-55736
CVE-2025-55736 affects flaskBlog up to version 2.8.0 (and earlier). The root cause is in the routes/adminPanelUsers file, where an arbitrary user can elevate their role to admin , gaining high-privilege capabilities (e.g., delete users, posts, comments). Connected sources confirm the affected sof...
CVE-2025-53631
FlaskBlog vulnerability CVE-2025-53631 affects FlaskBlog versions prior to 2.8.1. Root cause: improper sanitization of postContent submitted to /createpost, enabling arbitrary JavaScript execution (XSS) on all pages where the post is reflected (/, /post/[ID], /admin/posts, /user/[ID]). Impact is ...