Primary

Context

flaskBlog Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability exists in flaskBlog version 2.6.1. This issue allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the postContent, postTags, or postTitle parameters when creating a post.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, create a new post and inject a malicious payload, such as an image tag with an 'onerror' event, into the postContent, postTags, or postTitle fields. Once the post is saved, the injected script will execute when the post is viewed.

Remediation

It is recommended to use autoescaping to escape rendered content, preventing the execution of injected scripts.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

7.9

remediation

8.3

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

7.9

remediation

8.3

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

flaskBlog Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DogukanUrker flaskBlog

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating