Dogukanurker: >> Flaskblog Security Vulnerabilities
Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-04-21
Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-04-21
A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-04-21
An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-04-17
flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/<user>` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div class="content" tag="content">{{comment[2]|safe}}</div>`. Use of the "safe" tag causes flask to _not_ escape the rendered content. To remediate this, simply remove the `|safe` tag from the HTML above. No fix is is available and users are advised to manually edit their installation.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-01-17