FlatPress CMS Cross-Site Scripting Vulnerability via File Upload in Admin Panel

A Cross-Site Scripting (XSS) vulnerability has been identified in the FlatPress CMS admin panel, specifically in the latest version. The issue arises from the file upload feature, which fails to properly validate filenames. This flaw allows an attacker to upload a file containing a JavaScript payload disguised as a filename. If the uploaded file is accessed by other users, the JavaScript code could execute in their browsers, potentially leading to account takeover or data theft.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where injected JavaScript is executed in the context of the user viewing the file. This could result in stealing session cookies or login credentials, leading to unauthorized account access. Additionally, such an XSS vulnerability could be used to target other users of the FlatPress CMS.

Reproduction

To reproduce this vulnerability, log into an admin account and navigate to the media manager upload section. Upload a file through the upload field, intercept the request with a tool like Burp Suite, and inject a JavaScript payload into the filename. After uploading, the injected script will execute automatically when the media file is accessed.

Remediation

Users can update to FlatPress CMS version 1.4.dev, where this vulnerability has been fixed.