| Title | chaitak-gorai blogbook latest version as of 2025/05/22 SQL Injection |
|---|
| Description | A stored Cross-Site Scripting (XSS) vulnerability exists in the comment functionality of BlogBook. The application fails to adequately sanitize user-supplied input when new comments are submitted. As a result, an attacker can inject malicious JavaScript code into a comment. This malicious script is then stored in the application's database and executed in the browser of any user, including administrators, who views the page containing the compromised comment.
This vulnerability was successfully exploited to steal session cookies (e.g., PHPSESSID) from users viewing the malicious comment, including an administrator account. With the stolen administrator session cookie, an attacker can hijack the administrator's session and gain full administrative control over the application. This allows for unauthorized data access, modification, user impersonation, and potentially further system compromise. |
|---|
| Source | ⚠️ https://github.com/rllvusgnzm98/Report/blob/main/blogbook/BlogBook%20post.php%20Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Comment%20Functionality%20Leading%20to%20Admin%20and%20User%20Account%20Takeover.md |
|---|
| User | bpy9ft (UID 85221) |
|---|
| Submission | 05/22/2025 10:28 (1 Year ago) |
|---|
| Moderation | 05/31/2025 18:13 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 310745 [chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513 /post.php comment_author/comment_email/comment_content cross site scripting] |
|---|
| Points | 20 |
|---|