CVE-2024-4023

NONE EPSS 50.2%
Published Mar 20, 20251y ago · Modified Jun 17, 20262w ago
Find Similar
Published Mar 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin.

Threat Intelligence

EPSS Exploit Probability
50.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
flatpressflatpress1.3any

References 2

  • github.com https://github.com/flatpressblog/flatpress/commit/3c9cc69364a45fd3f92d4bd606344b5dd1205d6a
    Patch
  • huntr.com https://huntr.com/bounties/ed803c13-0858-4c22-93ba-bf2384ab1e9d
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/flatpressblog/flatpress/commit/3c9cc69364a45fd3f92d4bd606344b5dd1205d6a
    Patch