Headline
CVE-2023-1147: Stored XSS through post comment body in flatpress
Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.
Valid
Description
The body of the comment is vulnerable to Stored XSS
Proof of Concept
- Create a post
- Comment on it, and insert <script>alert(document.domain)</script> in the body
Impact
JavaScript code can be executed on the user end without any interaction.