CVE-2008-4120
Description
FlatPress 0.804 contains multiple reflected XSS vulnerabilities in login.php and contact.php, allowing arbitrary script injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FlatPress 0.804 contains multiple reflected XSS vulnerabilities in login.php and contact.php, allowing arbitrary script injection.
Vulnerability
FlatPress 0.804 suffers from multiple reflected cross-site scripting (XSS) vulnerabilities. The user and pass parameters in login.php and the name parameter in contact.php are not properly sanitized before being reflected back to the user, allowing injection of arbitrary HTML and JavaScript. [2]
Exploitation
An attacker can craft a malicious URL or form that submits crafted values to the vulnerable parameters. No authentication is required; the attacker only needs to trick a victim into clicking a link or submitting a form. For example, a form targeting login.php with user set to '"'>' will execute the script in the victim's browser. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the FlatPress site. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is limited to the victim's browser and does not compromise the server directly.
Mitigation
The vendor released version 0.804.1 on September 25, 2008, which fixes these XSS issues. [2][3] Users should upgrade to 0.804.1 or later. No workaround is provided for the vulnerable version.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page."
Attack vector
Remote attackers can inject arbitrary web script or HTML by sending specially crafted requests to specific parameters. For example, an attacker could craft a POST request to `login.php` with a payload like `"><script>alert(1)</script>` in the `user` or `pass` parameter. Similarly, a POST request to `contact.php` with the same payload in the `name` parameter would also be vulnerable [ref_id=1]. This lack of input sanitization allows for cross-site scripting attacks [CWE-79].
Affected code
The vulnerabilities are present in `login.php` via the `user` and `pass` parameters, and in `contact.php` via the `name` parameter in FlatPress version 0.804. The advisory does not specify exact code lines but indicates these parameters are susceptible to injection due to a failure to properly sanitize user-supplied input [ref_id=1].
What the fix does
The advisory indicates that updating to FlatPress version 0.804.1 resolves these vulnerabilities. This suggests that the patch addresses the improper neutralization of user-supplied input, preventing the injection of malicious scripts or HTML into web pages [ref_id=1]. The update ensures that input is properly sanitized before being rendered, mitigating the cross-site scripting risks.
Preconditions
- inputThe attacker must be able to send requests to the `login.php` or `contact.php` scripts.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.