Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Stored XSS
Description
When creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post.
The code that causes the problem is in template/routes.html, line 67:
<p>{{ content | safe }} <br /></p>.
PoC
Example of a malicious user intercepting the createPost request. As can be seen in the image, the payload is a simple <script>alert("STORED XSS")</script>.
Going to the home of the blog after creating the post triggers the XSS.
Solution
Remove the | safe filter to let Flask escape the content of the post.
davidedc97 Reporter
Disclaimer
This advisor is referred to my other security advisor, where GitHub asked for separate posts in order to get CVE IDs.
Stored XSS
Description
When creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the
| safefilter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post.The code that causes the problem is in template/routes.html, line 67:
<p>{{ content | safe }} <br /></p>.PoC
Example of a malicious user intercepting the createPost request. As can be seen in the image, the payload is a simple
<script>alert("STORED XSS")</script>.Going to the home of the blog after creating the post triggers the XSS.
Solution
Remove the
| safefilter to let Flask escape the content of the post.