| タイトル | code-projects Easy Blog Site In PHP 1.0 Cross Site Scripting |
|---|
| 説明 | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Easy Blog Site in PHP within the post update functionality.
The vulnerability occurs in the following endpoint:
/blog/posts/update.php
The application processes user-controlled input via HTTP POST parameters when updating blog posts. The postTitle parameter is directly accepted from user input and stored in the backend database without proper validation or sanitization.
Because the stored value is later rendered in the blog interface without applying output encoding, malicious HTML or JavaScript code can be executed in the browser of users who view the affected post.
During testing, it was confirmed that injecting a malicious payload into the postTitle parameter results in persistent script execution.
payload used:
<details/open/ontoggle=prompt(origin)>
Once the post is updated, the payload is saved in the database and executed whenever the post is viewed.
This confirms that the vulnerability is a Stored (Persistent) Cross-Site Scripting issue. |
|---|
| ソース | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Easy%20Blog%20Site%20PHP%20postTitle%20Parameter.md |
|---|
| ユーザー | AhmadMarzook (UID 96211) |
|---|
| 送信 | 2026年03月24日 13:01 (1 月 ago) |
|---|
| モデレーション | 2026年04月08日 16:39 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 356244 [code-projects Easy Blog Site 1.0 /posts/update.php postTitle クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|