FlatPress Admin Area admin.entry.list.php cross site scripting

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) issue in FlatPress, affecting the file admin/panels/entry/admin.entry.list.php in the Admin Area. An attacker can inject malicious scripts into the entry list page via unsanitized user-controlled parameters. The issue is present in versions prior to the fix introduced by commit 229752b51025e678370298284d42f8ebb231f67f [1], [2].

Exploitation

An attacker with remote network access can craft a request containing malicious JavaScript code in the $_SERVER['PHP_SELF'] variable (formtarget) or other parameters such as entry, m, or y. No authentication is required to reach the vulnerable admin panel if the attacker can trick an admin user into visiting a crafted URL, or if the application is configured in a way that exposes the admin area without authentication. The attack is initiated remotely via HTTP requests [1], [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an administrator's browser session. This could lead to unauthorized actions, data theft (e.g., session cookies), or defacement of the admin interface. The impact is limited to the privileges of the admin user who is tricked into viewing the malicious input [1].

Mitigation

The patch commit 229752b51025e678370298284d42f8ebb231f67f (released on or before 2022-12-28) fixes the vulnerability by sanitizing user input using strip_tags() on $_SERVER['PHP_SELF'] and properly handling request parameters. Users should update FlatPress to a version that includes this commit. No workaround is detailed in the references [2].