Primary

Context

Tianti Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in Tianti version 2.3. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the coverImageURL parameter of the article save AJAX endpoint. The injected script is executed on the front end, affecting all users who access the homepage.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the homepage.

Reproduction

To reproduce this vulnerability, publish an article and replace the cover image URL with an XSS payload, such as an image tag (with an invalid image source) using an 'onerror' attribute. After saving the article, the XSS payload will be executed when users access the homepage.

Remediation

It is recommended to HTML-escape user input before displaying it to prevent the execution of injected scripts.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

4.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

4.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tianti Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

xujeff tianti

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating