Cross-Site Scripting (XSS) in "/blogengine/api/posts"

A Cross Site Scripting vulnerabilty exists in BlogEngine via the Description field in /blogengine/api/posts

Step to exploit:
1. Login as admin.
2. Navigate to http://127.0.0.1/blogengine/admin/#/content/posts and click on "NEW".
3. Insert XSS payload `<img src=1 onerror=alert('XSS')>` in the "Description" field and click on SAVE, PUBLISH.
4. Go to Home page.

![1](https://user-images.githubusercontent.com/35623498/180025797-bacb40da-5922-4017-83c9-5489997715e5.PNG)

![2](https://user-images.githubusercontent.com/35623498/180025817-e07f48f3-cc1c-4675-afdf-d1a9946f4c97.PNG)

![3](https://user-images.githubusercontent.com/35623498/180025829-cb63e4da-6059-4f52-a961-7d7f0d032d93.PNG)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cross-Site Scripting (XSS) in "/blogengine/api/posts" #254

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Cross-Site Scripting (XSS) in "/blogengine/api/posts" #254

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions