sayski ForestBlog Cross-Site Scripting Vulnerability Allowing Privilege Escalation
Vulnerability
A stored cross-site scripting vulnerability has been identified in sayski ForestBlog, specifically in the article editing interface of the administrator backend. This issue allows remote attackers to inject malicious scripts that could be executed in the context of the user's session, potentially leading to unauthorized actions or access.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, access the administrator backend and navigate to the article editing interface. Inject a script payload, such as an image tag with an error event, into the article content. Once the article is saved, the injected script will execute when the article is viewed or edited again. Additionally, this vulnerability can be combined with a cross-site request forgery (CSRF) attack to escalate privileges by stealing the administrator's cookie.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.