CVE-2024-4023

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-4023
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4023.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-4023
Published
2025-03-20T10:15:32.473Z
Modified
2026-04-10T05:14:44.154075Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a .xsig extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML file. This allows an attacker to execute arbitrary JavaScript code, which can be used to steal user cookies, perform HTTP requests, and access content of the same origin.

References

Affected packages

Git / github.com/flatpressblog/flatpress

Affected ranges

Type
GIT
Repo
https://github.com/flatpressblog/flatpress
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
32771f9457f48d768747d41f7fffdcc66718465e
Fixed
3c9cc69364a45fd3f92d4bd606344b5dd1205d6a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.3"
        }
    ]
}

Affected versions

1.*
1.1
1.2
1.2.1
1.2.beta1
1.2.beta2
1.3
1.3.beta1
1.3.rc1
v1.*
v1.0.2
v1.0.3
v1.0.3.php7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4023.json"