CVE-2017-16636

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-16636
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16636.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-16636
Published
2017-11-06T22:29:00Z
Modified
2024-09-03T01:45:28.852505Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method to inject via editor is GET. To save the editor context, the followup POST method request must be processed to perform the attack via the application side. The basic validation of the editor does not allow injecting script codes and blocks the context. Attackers can inject the code by using an editor tag that is not recognized by the basic validation. Thus allows a restricted user account to inject malicious script code to perform a persistent attack against higher privilege web-application user accounts.

References

Affected packages

Git / github.com/bludit/bludit

Affected ranges

Type
GIT
Repo
https://github.com/bludit/bludit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Last affected

Affected versions

0.*

0.1
0.2
0.2-beta1
0.4-beta1
0.5
0.6-beta1
0.6-beta2
0.6.1
0.6.2
0.7
0.7-beta1
0.7.1
0.7.2

1.*

1.0-beta1
1.0-beta2
1.0-beta3
1.0.1
1.1.2
1.3
1.3-beta1
1.3-beta2
1.4
1.4a
1.5
1.5-beta1
1.5-beta2
1.5-beta3
1.5.1
1.5.2