Stored XSS vulnerability via a comment in inc/conv.php in BlogoText before 3.7.6 allows an unauthenticated attacker to inject JavaScript. If the victim is an administrator, an attacker can (for example) change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog.
References
Link | Resource |
---|---|
http://openwall.com/lists/oss-security/2017/10/01/1 | Mailing List Patch Third Party Advisory |
https://github.com/BlogoText/blogotext/issues/318 | Issue Tracking Patch Third Party Advisory |
https://github.com/BlogoText/blogotext/pull/320/commits/1a283cc8ad2cda37e0a6aff8f4558b98ecbfd9c2 | Issue Tracking Patch Third Party Advisory |
https://github.com/BlogoText/blogotext/releases/tag/3.7.6 | Release Notes Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-10-01T15:00:00
Updated: 2017-10-01T15:57:02
Reserved: 2017-10-01T00:00:00
Link: CVE-2017-14957
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-10-02T01:29:00.437
Modified: 2017-10-06T16:50:01.420
Link: CVE-2017-14957
JSON object: View
Redhat Information
No data.
CWE