| عنوان | code-projects Easy Blog Site In PHP 1.0 Cross Site Scripting |
|---|
| الوصف | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Easy Blog Site in PHP within the post update functionality.
The vulnerability occurs in the following endpoint:
/blog/posts/update.php
The application processes user-controlled input via HTTP POST parameters when updating blog posts. The postTitle parameter is directly accepted from user input and stored in the backend database without proper validation or sanitization.
Because the stored value is later rendered in the blog interface without applying output encoding, malicious HTML or JavaScript code can be executed in the browser of users who view the affected post.
During testing, it was confirmed that injecting a malicious payload into the postTitle parameter results in persistent script execution.
payload used:
<details/open/ontoggle=prompt(origin)>
Once the post is updated, the payload is saved in the database and executed whenever the post is viewed.
This confirms that the vulnerability is a Stored (Persistent) Cross-Site Scripting issue. |
|---|
| المصدر | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Easy%20Blog%20Site%20PHP%20postTitle%20Parameter.md |
|---|
| المستخدم | AhmadMarzook (UID 96211) |
|---|
| ارسال | 24/03/2026 01:01 PM (25 أيام منذ) |
|---|
| الاعتدال | 08/04/2026 04:39 PM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 356244 [code-projects Easy Blog Site 1.0 /posts/update.php postTitle البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|