Vulnerability Details CVE-2024-22414
flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/<user>` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div class="content" tag="content">{{comment[2]|safe}}</div>`. Use of the "safe" tag causes flask to _not_ escape the rendered content. To remediate this, simply remove the `|safe` tag from the HTML above. No fix is is available and users are advised to manually edit their installation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.4%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2024-22414
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.0
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.1
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.2
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.3
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.4
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.5
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.6
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.7
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.8
-
cpe:2.3:a:dogukanurker:flaskblog:1.0.9
-
cpe:2.3:a:dogukanurker:flaskblog:1.1.0