CVE-2025-53631

Medium CVSS: 5.3

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and /user/[ID] of the user that made the post. At time of publication, there are no public patches available.

Vendor

Dogukanurker

Product

Flaskblog

CWE

CWE-79

Yayın Tarihi

2025-08-14 16:15:36

Güncelleme

2025-08-21 21:29:29

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Flaskblog MEDIUM Dogukanurker 2025

Referanslar

https://github.com/DogukanUrker/flaskBlog/security/advisories/GHSA-cj43-h8qf-7rw7

Benzer Kayıtlar

Medium

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ow…

Medium

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when vis…

Medium

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the conte…

Critical

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving…

Medium

CVE-2025-28103

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

Critical

CVE-2025-28104

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.