CVE-2024-22414 MEDIUM

CVE-2024-22414: User profile page vulnerable to Cross Site Scripting (XSS) in flaskBlog

Vendor Dogukanurker
Product flaskBlog
Weakness CWE-79 · XSS
Published January 17, 2024
Last update June 17, 2025
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/<user>` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div class="content" tag="content">{{comment[2]|safe}}</div>`. Use of the "safe" tag causes flask to _not_ escape the rendered content. To remediate this, simply remove the `|safe` tag from the HTML above. No fix is is available and users are advised to manually edit their installation.

Key dates

02Disclosure timeline

January 17, 2024 CVE published
June 17, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-45056 WordPress Open User Map | Everybody can add locations Plugin <= 1.3.26 is vulnerable to Cross Site Scripting (XSS) CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CVE-2022-38192 There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript. CVE-2023-46127 Frappe vulnerable to HTML injection by any Desk user CVE-2022-1088 Page Security & Membership <= 1.5.15 - Admin+ Stored Cross-Site Scripting