Stored XSS in the Blog Content

# FlatPress 1.2.1 - Stored XSS in the Blog Content

A stored Cross Site Scripting (XSS) vulnerability exists in version 1.2.1 of the FlatPress application that allows for arbitrary execution of JavaScript commands.

### Steps to reproduce the vulnerability

1. Visit the FlatPress **Administration area**.
2. Navigate to the **Entries** -> **Write Entry**.
3. Enter any **Subject**.
4. In the content area put the following payload:
	- `<script>alert(document.cookie)</script>`

![1](https://user-images.githubusercontent.com/32225978/133487288-cef4d410-d38a-4d49-a6de-85d1630e0587.png)

5. Click the **Save&Continue** button.
6. Stored XSS payload is triggered.

![2](https://user-images.githubusercontent.com/32225978/133487357-7fb9ae5d-c0b9-44e1-a9d7-b95bdfe6e502.png)

- Also we can verify the stored XSS payload by navigating to the home page. 

![3](https://user-images.githubusercontent.com/32225978/133487374-76ed5feb-596a-4b27-83ad-bb92cb4db065.png)


Discovered by Martin Kubecka, September 15 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stored XSS in the Blog Content #88

FlatPress 1.2.1 - Stored XSS in the Blog Content

Steps to reproduce the vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development