VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Stored XSS in flatpressblog/flatpress

CVE-2024-4023

Description

FlatPress 1.3 allows stored XSS via .xsig file uploads because the server sends a generic Content-Type, causing the browser to execute embedded JavaScript.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FlatPress 1.3 allows stored XSS via `.xsig` file uploads because the server sends a generic Content-Type, causing the browser to execute embedded JavaScript.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.3 [1][2]. When a user uploads a file with the .xsig extension, the server responds with a Content-type of application/octet-stream. This causes the browser to process the file as an HTML document, allowing any JavaScript embedded in the file to execute. The vulnerability does not require any special server configuration beyond allowing file uploads [1][2].

Exploitation

An attacker with the ability to upload files (e.g., an authenticated user or a visitor if uploads are publicly permitted) can upload a .xsig file containing arbitrary JavaScript. When a victim directly accesses the uploaded file via its URL, the browser renders it as HTML and executes the injected script. No additional user interaction beyond clicking the link is required [1][2].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim’s browser. The attacker can steal session cookies, perform same-origin HTTP requests, read page content, and otherwise compromise the user’s session or data [2].

Mitigation

The fix, committed in [1], prevents the upload of files with the .xsig extension. FlatPress 1.3 users should apply the commit 3c9cc69364a45fd3f92d4bd606344b5dd1205d6a or upgrade to a version that includes this patch. No workaround is provided for unpatched instances beyond disabling file uploads [1].

References
  1. Prevents upload of files with .xsig extension · flatpressblog/flatpress@3c9cc69
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Flatpress/Flatpressllm-fuzzy
    Range: <=1.3
  • flatpressblog/flatpressblog/flatpressv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application incorrectly handles uploaded files with a .xsig extension, allowing them to be interpreted as HTML."

Attack vector

An attacker can upload a file with a `.xsig` extension to the server. When this file is directly accessed, the server incorrectly sets the Content-type to `application/octet-stream`. This causes the browser to process the file as HTML, enabling the execution of arbitrary JavaScript code within the user's browser context [ref_id=1].

Affected code

The vulnerability exists in the file upload functionality located in `admin/panels/uploader/admin.uploader.php`. Specifically, the `onupload()` function handles file uploads and was modified to disallow `.xsig` extensions [ref_id=1].

What the fix does

The patch modifies the `admin.uploader.php` file to prevent the upload of files with the `.xsig` extension. This is achieved by adding `.xsig` to the list of disallowed file extensions, thereby stopping the vulnerability before it can be exploited [ref_id=1].

Preconditions

  • inputThe attacker must craft and upload a file with a `.xsig` extension.
  • networkThe attacker must be able to directly access the uploaded file via a URL.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.