Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Oct 2017 09:25:07 +0200
From: chbi@...i.eu
To: oss-security@...ts.openwall.com
Subject: Stored XSS vulnerability in BlogoText <= 3.7.5


Hi,

I've discovered a security issue in BlogoText <= 3.7.5
(https://github.com/BlogoText/blogotext/)


A Stored XSS vulnerability via comment allows an unauthenticated
attacker to inject JavaScript. If it is triggered as administrator an
attacker can for example, change global settings or create/delete posts.
It is also possible to execute JavaScript against unauthenticated users
of the blog.

Fix:
https://github.com/BlogoText/blogotext/pull/320/commits/1a283cc8ad2cda37e0a6aff8f4558b98ecbfd9c2


The issue is fixed in BlogoText 3.7.6.

https://github.com/BlogoText/blogotext/releases/tag/3.7.6


I've requested a CVE ID (MITRE).

-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ