CVE-2021-41432

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 [1]. The vulnerability resides in the blog content field when creating or editing entries via the Write Entry page. An attacker can inject arbitrary JavaScript code that is stored and executed when any user views the affected blog page [1]. No special configuration is required other than having an account with authoring privileges.

Exploitation

The attacker must have access to the FlatPress administration area, specifically the "Write Entry" functionality [1]. The exploit steps are: 1) Log in to the admin panel, 2) Navigate to Entries -> Write Entry, 3) Enter a subject and paste the payload `` into the content area, 4) Click Save & Continue [1]. The payload is stored and triggers immediately upon saving and also when the home page is viewed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user who views the compromised blog entry [1]. This can lead to session hijacking, credential theft, defacement, or further attacks. The scope is within the blog application, and the attacker gains the ability to perform actions as the victim user.

Mitigation

As of the reference's publication, no patch has been released [1]. Users should consider sanitizing user input, implementing Content Security Policy (CSP), and restricting write access to trusted users. FlatPress 1.2.1 is the affected version; upgrading to a future fixed version when available is recommended.