PerfreeBlog Stored Cross-Site Scripting Vulnerability in Backend System Settings

A stored cross-site scripting vulnerability has been identified in PerfreeBlog version 4.0.11. The issue resides in the website name field within the backend system settings interface, where an attacker can inject and execute arbitrary malicious scripts. The vulnerability is exploited by inserting a script tag containing JavaScript code, such as an alert, into the website name field. Once saved, the injected script is executed when the website name is displayed on any page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, log into the backend of a PerfreeBlog site running version 4.0.11. Navigate to the system settings interface and locate the website name field. Insert a script tag containing JavaScript, such as an alert, into this field and save the changes. The injected script will execute when the website name is displayed on a page.