CVE-2024-4023 HIGH

CVE-2024-4023: Stored XSS in flatpressblog/flatpress

Vendor Flatpressblog
Product flatpressblog/flatpress
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-41053 Stored Cross-Site Scripting vulnerability in appRain CMF CVE-2025-12066 WP Delete Post Copies <= 6.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2025-58703 WordPress Skyword API Plugin Plugin <= 2.5.3 - Cross Site Scripting (XSS) Vulnerability CVE-2024-13504 Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.42 - Limited Unauthenticated Stored Cross-Site Scripting via File Upload CVE-2021-32792 XSS vulnerability when using OIDCPreservePost On in mod_auth_openidc